OUDLB         X  LIBRARY 
MWALi     ;  i  GRADUATE  SCHOOl 
M.NTEREY  CA  93943-5101 


^il  \~,M~*4 


URITY  CLASSIFICATION  OF  THIS  PAGE 


REPORT  DOCUMENTATION  PAGE 


REPORT  SECURITY  CLASSIFICATION UNCLASSIFIED 

TTCURITV  CLASSIFICATION  AUTHORITY 


lb.  RESTRICTIVE  MARKINGS 


3.  DISTRIBUTIOnVAVAILABILITY  OF  REPORT 
Approved  for  public  release; 
distribution  is  unlimited 


DECLASSIFICATIOnVDOWNgRADINg  SCHEDULE 


PERFORMING  ORGANIZATION  REPORT  NUMBER(S) 


5.  MONITORING  ORGANIZATION  REPORT  NUMBER(S) 


.  NAME  OF 

omputer  Science  Dept. 
aval  Postgraduate  School 


ERF0RMIN6  ORGANIZATION 
cience  De 


6b.  OFFICE  SVMBOL 
(if  applicable) 

cs 


7a.  NAME  OF  MONITORING  ORGANIZATION 
Naval  Postgraduate  School 


.  ADDRESS  (City.  State,  and  ZIP  Code) 

[onterey,  CA      93943-5000 


7b.  ADDRESS  (City,  State,  and  ZIP  Code) 

Monterey,  CA    93943-5000 


NAME  OF  FUNDING/SPONSORING 
ORGANIZATION 


6b.  OFFICE  SVMBOL 
(if  applicable) 


§  PROCUREMENT  INSTRUMENT  IDENTIFICATION  NUMBER 


16.  SOURCE  OF  FUNDING  NUMBERS 


.  ADDRESS  (City,  State,  and  ZIP  Code) 


PROGRAM 
ELEMENT  NO. 


PROJECT 
NO. 


TSSTT 

NO 


WORK  UNIT 
ACCESSION  N 


.  TITLE  (Include  Security  Classification) 

PROTOCOL  VALIDATOR  FOR  THE  SCM  AND  CFSM  MODELS 


uTbufzeki  Bulent 


a.  TYPE  OF  F 
laster  s Th 


REPORT 
esis 


i3b  TIME  COVERED 
from  09/92    to  06/93 


15.  PAGE  COUNT 
143 


14.  DATE  OF  REPORT  (Year,  Month,  Day) 

June  1993 


supplementary  notation"       The  views  expressed  in  this  thesis  are  those  of  the  author  and  do  not  reflect  the 
ficial  policy  or  position  of  the  Department  of  Defense  or  the  United  States  Government. 


COSATI  CODES 

18.  SUBJECT  TERMS  (Continue  on  reverse  if  necessary  and  identify  by  block  number) 

Systems    of    Communicating    Machines,    Communicating    Finite    Sta 
Machines,  SCM,  CFSM,  Protocol  Verification. 

FIELD 

GROUP 

SUB-GROUP 

.  ABSTRACT  (Continue  on  reverse  if  necessary  and  identify  by  block  number) 

This  thesis  introduces  and  describes  a  software  tool  called  Mushroom  which  automates  the  analysis  of  network  protocols  spe 
ed  by  the  Systems  of  Communicating  Machines  (SCM)  and  the  Communicating  Finite  State  Machines  (CFSM)  models.  SC 
a  formal  model  for  the  specification,  verification,  and  testing  of  communication  protocols.  This  model  was  originally  devc 
>ed  to  improve  the  CFSM  model  which  is  a  simpler  and  earlier  Formal  Description  Technique  (FDT). 
The  program  is  developed  as  two  separate  programs  in  the  Ada  programming  language.  The  first  program  automates  eith 
e  system  state  analysis  (Smart  Mushroom),  or  the  full  global  analysis  (Big  Mushroom)  for  a  protocol  specified  by  the  SCI 
odel.  The  second  program  called  Simple  Mushroom,  automates  the  global  reachability  analysis  for  the  CFSM  model. 
Mushroom  greatly  facilitates  the  use  of  these  models  for  protocol  design  and  analysis.  The  run  time  and  memory  efficien< 
a  previous  program  was  improved  to  allow  the  analysis  of  larger  and  more  complex  protocols.  The  program  was  also  extend* 
accept  up  to  eight  machines  (processes)  in  the  protocol  specification.  The  user  interface  of  the  program  has  also  been  ir 
oved. 

Mushroom  has  been  used  to  verify  some  well  known  protocols  specified  by  the  SCM  and  CFSM  models  such  as  the  tok< 
s  protocol,  Go  Back  N  and  Lap-B  data  link  control  protocol. 


H  ABSTRACT  SECURITY  CLASSIFICATION 
UNCLASSIFIED 


DISTRIBUTIOnVAVAILABILITY  of  abstract 

3  unclassified/unlimited   fj  same  as  rpt     []  dtic  users 


22c  jiPFICE  SYMBOL 


ms 


rmwprm 


,unay 


22b.  TELEPHONEJ/nc/ude  Area  Code) 

(408)  656-2094/2449 


FORM  1473,  84  MAR 


83  APR  edition  may  be  used  until  exhausted 
All  other  editions  are  obsolete 


SECURITY  CLASSIFICATION  OF  THIS  PAGE 

UNCLASSIFIED 

t?c;Q7QA 


Approved  for  public  release;  distribution  is  unlimited 
A  Protocol  Validator  for  the  SCM  and  CFSM  Models 


by 

Zeki  Bulent  Bulbul 

LTJG,  Turkish  Navy 

B.S.,  Turkish  Naval  Academy,  1987 


Submitted  in  partial  fulfillment  of  the 
requirements  for  the  degree  of 


MASTER  OF  COMPUTER  SCIENCE 


from  the 

NAVAL  POSTGRADUATE  SCHOOL 

June  1993/j  ^       fl 


uhcu 


ABSTRACT 

This  thesis  introduces  and  describes  a  software  tool  called  Mushroom  which 
automates  the  analysis  of  network  protocols  specified  by  the  Systems  of  Communicating 
Machines  (SCM)  and  the  Communicating  Finite  State  Machines  (CFSM)  models.  SCM  is 
a  formal  model  for  the  specification,  verification,  and  testing  of  communication  protocols. 
This  model  was  originally  developed  to  improve  the  CFSM  model  which  is  a  simpler  and 
earlier  Formal  Description  Technique  (FDT). 

The  program  is  developed  as  two  separate  programs  in  the  Ada  programming 
language.  The  first  program  automates  either  the  system  state  analysis  (Smart  Mushroom), 
or  the  full  global  analysis  (Big  Mushroom)  for  a  protocol  specified  by  the  SCM  model.  The 
second  program  called  Simple  Mushroom,  automates  the  global  reachability  analysis  for 
the  CFSM  model. 

Mushroom  greatly  facilitates  the  use  of  these  models  for  protocol  design  and  analysis. 
The  run  time  and  memory  efficiency  of  a  previous  program  was  improved  to  allow  the 
analysis  of  larger  and  more  complex  protocols.  The  program  was  also  extended  to  accept 
up  to  eight  machines  (processes)  in  the  protocol  specification.  The  user  interface  of  the 
program  has  also  been  improved. 

Mushroom  has  been  used  to  verify  some  well  known  protocols  specified  by  the  SCM 
and  CFSM  models  such  as  the  token  bus  protocol,  Go  Back  N  and  Lap-B  data  link  control 
protocol. 
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L  INTRODUCTION 

A.     MOTIVATION 

In  the  last  decade  increasing  complexity  in  computer  communication  systems  have 
created  a  growing  demand  for  formal  techniques  to  specify,  design,  verify  and  test 
protocols.  In  order  to  have  a  clear  understanding  of  the  protocols,  both  for  the  protocol 
designer  and  implementor,  it  is  essential  to  have  a  formal  protocol  specification. 

There  are  a  large  number  of  formal  techniques  available  for  modeling  protocols.  Most 
of  these  methods  can  be  placed  into  one  of  the  following  general  classifications  [Ref.  1]: 
communicating  finite  state  machines,  Petri  nets,  programming  languages  and  hybrids. 
Some  models  that  have  found  most  interest  and  chosen  for  standardization  are  ESTELLE, 
LOTOS  and  SDL.  Each  of  these  has  its  own  pros  and  cons. 

Systems  of  communicating  machines  (SCM)  is  also  a  formally  defined  model  for 
specification,  analysis  and  testing  of  protocols  that  is  defined  in  [Ref.  2].  This  model  uses 
a  combination  of  finite  state  machines  and  variables,  which  may  be  local  to  a  single 
machine  or  shared  by  two  or  more  machines,  so  it  can  be  classified  in  the  models  known  as 
"extended  finite-state  machines."  The  main  goal  of  the  SCM  model  was  to  improve  the 
well-known  simpler  Communicating  Finite-State  Machines  (CFSM)  model.  The  SCM 
model  has  been  used  to  specify  and  analyze  several  protocols  [Ref.  3],  [Ref.  4],  [Ref.  5], 
[Ref.  6],  [Ref.  7].  Analysis  of  protocols  specified  with  this  model  can  be  executed  using  a 
method  called  system  state  analysis.  This  analysis  is  similar  to  global  reachability  analysis, 
but  generates  a  subset  of  all  reachable  states.  Sometimes  this  subset  is  sufficient  to  verify 
the  protocol.  In  some  cases  system  state  analysis  is  not  sufficient  for  protocol  analysis,  and 


global  analysis  is  needed.  However,  it  is  possible  to  automate  the  system  state  analysis  and 
global  analysis  based  on  the  SCM  model. 

Several  tools  exist  for  the  design  and  verification  of  protocols.  These  tools  are  very 
important  for  increasing  the  usefulness  of  the  formal  description  techniques  (FDT). 

While  there  is  no  "perfect"  formal  specification  technique,  there  is  still  room  for  more 
work  to  understand  the  advantages  of  different  formal  models  and  develop  better  tools  to 
increase  the  utilization  of  these  models. 

B.  SCOPE  OF  THE  THESIS 

The  goal  of  the  thesis  is  to  present  a  software  tool,  called  mushroom  that  automates 
the  reachability  analysis  of  protocols  formally  specified  using  CFSM  and  SCM  models. 
The  name  mushroom  was  chosen  as  a  symbol  of  something  that  starts  out  relatively  small 
(specification)  and  gets  much  bigger  quickly  (analysis).  An  earlier  version  of  the  program 
[Ref.  8]  was  capable  of  generating  reachability  analysis  for  the  protocols  consisting  of  only 
two  machines.  This  thesis  expands  on  this  earlier  work  and  is  capable  of  analyzing 
protocols  that  has  any  number  of  machines  from  two  to  eight.  In  addition,  the  user  interface 
for  the  program  has  also  been  improved.  The  program  was  tested  against  results  of  several 
previous  works  and  has  confirmed  their  results.  It  is  also  believed  that  this  program  will 
help  to  solve  some  problems  concerning  the  SCM  model. 

C.  ORGANIZATION 

The  thesis  has  six  chapters.  Chapter  II  reviews  the  Communicating  Finite  State 
Machines  (CFSM)  and  Systems  of  Communicating  Machines  (SCM)  models.  In  Chapter 
III,  a  program  called  simple  mushroom,  which  automates  the  global  reachability  analysis 
based  on  CFSM  model,  is  described.  Chapter  IV  describes  a  program  that  automates  the 
system  state  analysis  (smart  mushroom),  or  the  full  global  analysis  (big  mushroom)  for 


a  protocol  specified  formally  using  the  SCM  model.  In  Chapter  V,  some  examples  of  the 
use  of  the  program  are  given.  Chapter  VI  concludes  the  thesis  with  a  research  review  and 
suggestions  for  future  work. 


II.  BACKGROUND  OF  MODELS 

A.     COMMUNICATING  FINITE  STATE  MACHINES 

Communicating  finite  state  machine  (CFSM)  model  is  a  simple  model  and  perhaps  the 
earliest  FDT.  In  this  model,  each  machine  in  the  network  is  modeled  as  a  finite  automaton 
or  finite  state  machine  (FSM),  with  communication  channels  between  pairs  of  machines 
modeled  as  one-way,  infinite  length  FIFO  queues.  There  is  a  great  deal  of  literature  on  this 
model  [Ref.  9]  [Ref.  10]  [Ref.  11].  The  model  is  defined  for  an  arbitrary  number  of 
machines;  however,  for  simplicity,  a  two  machine  model  (shown  in  Figure  1)  will  be 
presented  here. 


Machine  1 


Machine  2 


Figure  1:  CFSM,  2  machine  model  representation 

1.     Model  Definition 

This  section  defines  the  CFSM  model  [Ref.  12]  and  provides  a  simple  protocol 
specification  and  analysis  to  clarify  the  definition. 

A  communicating  machine  M  is  a  finite,  directed  labeled  graph  with  two  types  of 
edges,  sending  and  receiving.  A  sending  (receiving)  edge  is  labeled  l-g'  C+gy)  for  some 
message  g,  taken  from  a  finite  set  G  of  messages.  One  of  the  nodes  in  M  is  identified  as  the 
initial  node,  and  each  node  is  reachable  from  the  initial  node  by  some  directed  path.  A  node 
in  M  whose  outgoing  edges  are  all  sending  (receiving)  edges  is  a  sending  {receiving)  node; 
otherwise  the  node  is  a  mixed  node.  If  the  outgoing  edges  of  each  node  in  M  have  distinct 


labels,  then  M  is  deterministic,  otherwise  M  is  nondeterministic.  The  nodes  of  M  are  often 
referred  to  as  states;  these  two  terms  will  be  used  interchangeably  throughout  this  thesis. 

Let  M  and  N  be  two  communicating  machines  having  the  same  set  G  of  messages; 
the  pair  (M,N)  is  a  network.  A  global  state  of  this  network  is  a  four  tuple  [m,cm,n,cn],  where 
m  and  n  are  nodes  (states)  from  M  and  N,  and  cm  and  cn  are  strings  from  the  set  G  of 
messages.  Intuitively,  the  global  state  [m,cm,n,cn]  means  that  the  machines  M  and  N  have 
reached  states  m  and  n,  and  the  communication  channels  contain  the  strings  cm  and  cn  of 
messages,  where  cm  denotes  the  messages  sent  from  M  to  N  in  channel  Q/,  and  cn  denotes 
the  messages  sent  from  N  to  M  in  channel  C^.  In  the  case  of  say  k  number  of  machines 
where  k  >  2  the  global  state  can  be  represented  as 
[^]'Ql2>Ql3'->m2>a21'Q23'-'m3'Q31'Q32'->--mbQkbQk2'-^  where  mp  are  the  nodes  of 
machines  M,-  and  qt;  contains  the  messages  sent  from  A/,-  to  A/..  Subscripts  i  and  j  ranges 
from  1  ..k  and  i  *j. 

The  initial  global  state  of  (M,N)  is  [mQ,E,nQ,E\,  where  mg  and  ng  are  the  initial 

states  of  M  and  N,  and  E  is  the  empty  string. 

The  network  progresses  as  transitions  are  taken  in  either  M  or  /V.  Each  transition 
consists  of  a  state  change  in  one  of  the  machines,  and  either  the  addition  of  a  message  to 
the  end  of  one  channel  (sending  transition)  or  the  deletion  of  a  message  from  the  front  of 
one  channel  (receiving  transition). 

A  sending  transition  in  M  (N)  adds  a  message  to  the  end  of  channel  Cm  {Cfj);  a 
receiving  transition  in  M  {N)  removes  a  message  from  the  front  of  channel  C#  {Cm). 

Suppose  +g  is  a  receiving  transition  from  state  i  to  j  in  machine  M  (N).  The 
transition  can  be  executed  if  and  only  if  M  (N)  is  in  state  i  and  the  message  g  is  at  the  front 


of  the  channel  C#  (Cm).  The  execution  takes  zero  time.  After  its  execution,  machine  M  (N) 
is  in  state  j,  and  the  message  g  has  been  removed  from  the  channel  CN  (CM). 

Similarly,  suppose  -g  is  a  sending  transition  from  state  i  to  j  in  M  (1s/).  The 
transition  can  be  executed  if  and  only  ifM(N)  is  in  state  i.  Afterwards,  g  appears  on  the  end 
of  the  outgoing  channel,  and  the  machine  has  transitioned  to  state  j. 

Suppose  S]=  [m,ci,n,Cj]  is  a  global  state  of  (M,N).  State  S2  follows  S]  if  there  is  a 
transition  (in  M  or  N)  which  can  be  executed  in  S]  if  there  is  a  sequence  of  states  $/,.$/+/,  . 
.,Si+p  such  that  5Z  follows  S/,s/+;  follows  Sj,  and  so  on,  and  S2  follows  Si+p.  A  state  s  is 
reachable  if  it  is  reachable  from  the  initial  state. 

The  communication  of  a  network(M,N)  is  bounded  if,  for  every  reachable  state 
[m,cm,n,cn]  there  is  a  nonnegative  integer  k  such  that  \cm\  <  k  and  \cn\  <  k,  where  Id  denotes 
the  number  of  messages  in  channel  C. 

A  reachability  graph  of  a  network  (M,N)  is  a  directed  graph  in  which  the  nodes 
correspond  to  the  reachable  global  states  of  (M,N),  and  the  edges  represent  the  follows 
function.  That  is,  there  is  an  edge  from  state  5,  to  state  S;  if  and  only  if  S;  follows  sz.  The 
edges  are  labeled  with  the  transitions  which  they  represent.  This  reachability  graph  can  be 
generated  by  starting  with  the  initial  state,  and  adding  the  states  which  follow  it,  connecting 
them  to  it  with  edges;  and  repeating  for  each  new  state  generated. 

The  next  two  definitions  are  of  errors  that  may  occur  in  a  communication 
protocol,  which  are  detectable  by  analysis. 

A  global  state  [m,cm,n,cn]  is  a  deadlock  state  if  both  m  and  n  are  receiving  nodes, 

and  cm=cn=E,  where  E  denotes  the  empty  string. 

A  global  state  [m,cm,n,cn]  is  an  unspecified  reception  state  if  one  of  the  following 
two  conditions  is  true: 


(1)  m  is  a  receiving  state,  the  message  at  the  head  of  channel  cn  is  g,  and  none  of 
m's  outgoing  transitions  is  labeled  '+£.' 

(2)  n  is  a  receiving  state,  the  message  at  the  head  of  channel  cm  is  g,  and  none  of 
n's  outgoing  transitions  is  labeled  t+g.1 

These  error  conditions  can  be  identified  by  generating  the  reachability  graph  for 
a  network,  and  inspecting  all  states  as  they  are  generated. 

In  the  next  section,  an  example  protocol  is  specified  and  analyzed  using  the 
CFSM  model. 

2.     An  Example  of  Protocol  Specification  and  Analysis  Using  CFSM 

CFSM  specification  of  an  imaginary  ring-like  network  consisting  of  three 
communicating  machines  is  shown  in  Figure  2. 


Machine  1 

-D3.2 


Machine  2 


+D2.3 


J  3 


0+D3.1 
K3J 


-Dl  ,3 


+D0.1 


Machine  3 


-D2.1 


Figure  2:  CFSM  specification  for  the  example  protocol 


It  is  assumed  that  the  protocol  is  used  at  the  data  link  layer,  making  use  of  the 
services  provided  by  the  physical  layer. 


Edges  are  labeled  such  that  the  characters  following  the  '-/+'  shows  the  messages 
and  the  numbers  represent  the  destination  machine.  Each  machine  sends  one  message  to  the 
next  machine  and  receives  a  message  from  the  previous  machine  in  clockwise  direction 
forming  a  ring.  Ignore  the  dashed  edges  and  nodes  for  the  time  being.  The  initial  state  of 
each  machine  is  1;  thus  the  initial  global  state  is  [1,E,E,1,E,E,1,E,E]. 

The  reachability  analysis  can  be  done  by  a  simple  procedure.  Starting  with  the 
initial  global  state  only  one  transition  is  possible,  the  '-D0'  of  the  machine  1  from  state  1. 
This  leads  to  global  state  [2,D0,E,1,E,E,1,E,E].  We  can  continue  the  analysis  in  the  same 
manner  detecting  the  possible  transitions  from  this  new  global  state.  The  complete 
reachability  analysis  is  given  in  Figure  3  consisting  of  a  total  of  six  states. 


_^[1,E,E,1,E,E,1,E,E] 
-D0,2 

[2,D0,E,1,E,E,1,E,E] 
+D0,1 

[2,E,E,2,E,E,1,E,E] 
-D1.3 

[2,E,E,1,E,D1,1,E,E] 
+D1,2 

[2,E,E,1,E,E,2,E,E] 
-D2,l 

[2,E,E,1,E,E,1,D2,E] 

+D2,3 


Figure  3:  Reachability  analysis  of  the  example  protocol 
In  this  sample  protocol,  there  are  no  deadlocks  or  unspecified  receptions.  If  the 
dashed  edges  and  states  in  Figure  2  are  added  to  the  specification,  the  reachability  analysis 


8 


shown  in  Figure  4  would  be  achieved.  In  this  analysis  there  is  one  deadlock  condition  and 
one  unspecified  reception.  In  global  state  [3,E,E,3,E,E,1,E,E],  all  the  channels  are  empty 
and  all  the  nodes  are  receiving  nodes  satisfying  the  deadlock  condition.  In  global  state 
[2,E,E,1,E,E,3,D4,E],  machine  1  and  machine  2  are  in  receiving  states  but  none  of  the 
outgoing  transitions  are  labeled  '+D4',  satisfying  an  unspecified  reception  condition. 


.[1,E,E,1,E,E,1,E,E]- 
-D0,2 

[2,D0,E,1,E,E,1,E,E] 
+D0,1 

[2,E,E,2,E,E,1,E,E] 
-Dl,3 


[2,E,E,1,E,D1,1,E,E] 

1,2 


+D1, 


[2,E,E,1,E,E,2,E,E]  - 

J     -D2,l 
[2,E,E,1,E,E,1,D2,E] 

+D2,3 


-D3,2 


-^[3,D3,E,1,E,E,1,E,E] 
I   +D3,1 

[3,E,E,3,E,E,1,E,E] 
Deadlock 


— -  [2,E,E,1,E,E,3,D4,E] 

Unspecified 
Reception 


Figure  4:  Reachability  analysis  including  errors 

3.     Summary 

The  CFSM  model  is  simple  and  easy  to  understand.  However,  as  the  protocols 
become  more  complex,  this  model  becomes  difficult  to  use  due  to  a  combinatorial 
explosion  of  states.  The  analysis  might  not  terminate  if  the  queue  length  is  unbounded.  The 
number  of  states  in  the  reachability  graph  will  be  unmanageably  large  for  such  complex 


protocols  even  if  the  queue  length  is  bounded.  A  computer  analysis  might  eventually 
terminate,  but  still  the  CPU  time  would  be  days  even  months,  obviously  impractical. 

Another  disadvantage  is  that  as  the  protocols  become  more  complex,  the 
specification  of  the  protocol  can  be  so  large,  consisting  of  many  states  and  transitions,  that 
it  makes  it  very  hard  to  understand  if  it  is  the  intended  specification.  Several  examples  are 
given  in  Chapter  V  that  show  the  largeness  of  analysis  for  some  protocols. 

B.     SYSTEMS  OF  COMMUNICATING  MACHINES 

In  this  section  the  SCM  model  is  described.  First  the  model  definition  is  given,  then 
the  algorithm  for  generating  the  system  state  analysis  is  described.  Finally  the  model  is  used 
for  specification  and  analysis  of  an  example  protocol  to  illustrate  the  important  aspects  of 
the  model. 

1.     Model  Definition 

A  system  of  communicating  machines  is  an  ordered  pair  C  =  (M,V),  where 

M={m1,m2,...,mn} 

is  a  finite  set  of  machines,  and 

V={v1,v2,-.,vk} 

is  a  finite  set  of  shared  variables,  with  two  designated  subsets  /?,  and  Wj  specified 
for  each  machine  m,\  The  subset  /?,■  of  V  is  called  the  set  of  read  access  variables  for 
machine  mt,  and  the  subset  W,  the  set  of  write  access  variables  for  mv 

Each  machine  m,-  e  M  is  defined  by  a  tuple  {S^sL^^ii),  where 

(1)  Si  is  a  finite  set  of  states; 

(2)  s  g  Si  is  a  designated  state  called  the  initial  state  of  m,; 

(3)  L{  is  a  finite  set  of  local  variables; 
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(4)  Nj  is  a  finite  set  of  names,  each  of  which  is  associated  with  a  unique  pair  (p,a), 
where  p  is  a  predicate  on  the  variables  L,  u  J?,-,  and  a  is  an  action  on  the  variables  of  Lt  u 
R[  u  Wi.  Specifically,  an  action  is  a  partial  function 

a:  ^  X  Rt  ->  Lt  X  W, 

from  the  values  of  the  local  variables  and  read  access  variables  to  the  values  of 
the  local  variables  and  write  access  variables. 

(5)  x,:  Si  X  Ni  —>  Si  is  a  transition  function,  which  is  a  partial  function  from  the 
states  and  names  of  m,  to  the  states  of  mv 

Machines  model  the  entities,  which  in  a  protocol  system  are  processes  and 
channels.  The  shared  variables  are  the  means  of  communication  between  the  machines. 
Intuitively,  /?,■  and  Wi  are  the  subsets  of  V  to  which  m,  has  read  and  write  access, 
respectively.  A  machine  is  allowed  to  make  a  transition  from  one  state  to  another  when  the 
predicate  associated  with  the  name  for  that  transition  is  true.  Upon  taking  the  transition,  the 
action  associated  with  that  name  is  executed.  The  action  changes  the  values  of  local  and/or 
shared  variables,  thus  allowing  other  predicates  to  become  true. 

The  sets  of  local  and  shared  variables  specify  a  name  and  range  for  each.  In  most 
cases,  the  range  will  be  a  finite  or  countable  set  of  values.  For  proper  operation,  the  initial 
values  of  some  or  all  of  the  variables  should  be  specified. 

A  system  state  tuple  is  a  tuple  of  all  machine  states.  That  is,  if  (M,V)  is  a  system 
of  n  communicating  machines,  and  S(,  for  1<  /  <  n,  is  the  state  of  machine  mv  then  the  n- 

tuple  (Sj,S2, .:,sn)  is  the  system  state  tuple  of  (M,V).  A  system  state  is  a  system  state  tuple, 

plus  the  outgoing  transitions  which  are  enabled.  Thus  two  system  states  are  equal  if  every 
machine  is  in  the  same  state,  and  the  same  outgoing  transitions  are  enabled. 

The  global  state  of  a  system  consists  of  the  system  state  tuple,  plus  the  values  of 
all  variables,  both  local  and  shared.  It  may  be  written  as  a  larger  tuple,  containing  the 
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system  state  tuple  with  the  values  of  the  variables.  The  initial  global  state  is  the  initial 
system  state  tuple,  with  the  additional  requirement  that  all  variables  have  their  initial 
values.  The  initial  system  state  is  the  system  state  such  that  every  machine  is  in  its  initial 
state,  and  the  outgoing  transitions  are  the  same  as  in  the  initial  global  state. 

A  global  state  corresponds  to  a  system  state  if  every  machine  is  in  the  same  state, 
and  the  same  outgoing  transitions  are  enabled.  Clearly,  more  than  one  global  state  may 
correspond  to  the  same  system  state. 

Let  x  (sj,n)  =  S2  be  a  transition  which  is  defined  on  machine  mz.  Transition  x  is 
enabled  if  the  enabling  predicate  p,  associated  with  name  n,  is  true.  Transition  x  may  be 
enabled  whenever  /n,  is  in  state  s,  and  the  predicate  p  is  true  (enabled).  The  execution  of  x 
is  an  atomic  action,  in  which  both  the  state  change  and  the  action  a  associated  with  n  occur 
simultaneously. 

It  is  assumed  that  if  a  transition  is  enabled  indefinitely,  then  it  will  eventually 
occur.  This  is  an  assumption  of  fairness,  and  is  needed  for  the  proofs  of  certain  properties. 

2.     Algorithm:  System  State  Analysis 

The  process  of  generating  the  set  of  all  system  states  reachable  from  the  initial 
state  is  called  system  state  analysis.  This  analysis  constructs  a  graph,  whose  nodes  are  the 
reachable  system  states,  and  whose  arcs  indicate  the  transitions  leading  from  each  system 
state  to  another.  This  graph  may  be  generated  by  a  mechanical  procedure  which  consists  of 
the  following  three  steps  [Ref.  1]: 

1.  Set  each  machine  to  its  initial  state,  and  all  variables  to  their  initial  values.  The 
initial  set  of  reachable  system  states  consists  of  only  the  initial  system  state;  the 
initial  graph  is  a  single  node  representing  this  state. 

2.  From  the  current  system  state  vector  and  variable  values,  determine  which 
transitions  are  enabled.  For  each  of  these  transitions,  determine  the  system  state 
which  results  from  its  execution,  //this  state  (with  the  same  enabled  transitions) 
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has  already  been  generated,  then  draw  an  arc  from  the  current  state  to  it,  labelling 
the  arc  with  the  transition  name.  Otherwise,  add  the  new  system  state  to  the  graph, 
draw  an  arc  from  the  current  state  to  it,  and  label  the  arc  with  the  name  of  the 
transition. 

3.  For  each  new  state  generated  in  step  2,  repeat  step  2.  Continue  until  step  2  has 
been  repeated  for  each  system  state  thus  generated,  and  no  more  new  states  are 
generated. 

3.     An  Example  of  Protocol  Specification  and  Analysis  Using  SCM 

The  specification  of  an  imaginary  ring-like  network  consisting  of  three  machines 
similar  to  the  CFSM  example  in  the  previous  section  is  given  in  Figure  5.  The  specification 
consists  of  the  finite  state  machines,  the  local  and  shared  variables,  and  the  predicate  action 
table,  shown  in  Table  1.  The  local  variables  are:  inbuffl,  in_buff2,  inbufft,  outbuffl, 
out_buff2,  and  out_buff3  and  shown  under  the  corresponding  FSMs  with  their  initial 
values.  The  shared  variables  are:  CHAN1,  CHAN2,  and  CHAN3  and  shown  between  the 
two  machines.  The  initial  state  of  each  machine  is  0,  with  the  shared  variables  and  local 
variables  are  empty  except  the  local  variable  out_buffl,  which  has  data  in  it.  E  in  the 
predicate-action  table  shows  the  empty  string.  A  character  D  will  be  used  to  represent  the 
data  in  the  out_buffl  local  variable.  Other  notations  in  the  predicate-action  table  are 
intuitive. 

Each  machine  sends  one  message  to  the  next  machine  and  receives  a  message 
from  the  previous  machine  in  clockwise  direction  forming  a  ring.  The  global  reachability 
analysis,  shown  in  Figure  6,  has  12  states.  The  system  state  analysis,  shown  in  Figure  7,  has 
only  6  states.  The  subscripts  in  Figure  7  are  used  so  that  distinct  system  states  having  the 
same  tuple  (but  not  the  outgoing  transitions)  may  easily  distinguished. 
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Figure  5:  FSMs  and  variables  for  the  example  protocol 


TABLE  1:  PREDICATE- ACTION  TABLE  FOR  THE  EXAMPLE  PROTOCOL 


Transition 

Enabling  Predicate 

Action 

snd_datal 

CHANl  =EA 
out_buff  1  *  E 

CHANl  <-  out.buffl 
out_buff  1  <-  E 

rcv_data3 

CHAN3  *  E 

in_buff  1  <-  CHAN3 
out_buff  1  <-  in_buff  1 
CHAN3  <-  E 

snd_data2 

CHAN2  =  E  A 
out_buff2  *  E 

CHAN2  <-  out  buff2 
out_buff2  <-  E 

rcv_datal 

CHANl  *E 

in  buff2<- CHANl 
out_buff2  <-  in_buff2 

CHANl  <-  E 

snd_data3 

CHAN3=  E  A 
out_buff3  *  E 

CHAN3  <-  out_buff3 
out_buff3  <-  E 

rcv_data2 

CHAN2  * E 

in_buff3  <-  CHAN2 
out_buff3  <—  in_bufG 
CHAN2  <-  E 
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[m  1  ,in_buffl  ,out_buff  1  ,m2,in_buff2,out_buff2,m3,in_bufO,out_buff3,CHANl  ,CHAN2,CHAN3] 
[0,E,D,0,E,E,0,E,E,E,E,E] 
I   snd_datal 

[1 ,E,E,0,E,E,0,E,E,D,E,E] 

1    rcv_datal 
[1 ,E,E,1 ,D,D,0,E,E,E,E,E] 

1    snd_data2 

[ 1 ,E,E,0,D,E,0,E,E,E,D,E] 
I    rcv_data2 

[ 1 ,E,E,0,D,E,1  ,D,D,E,E,E] 

I    snd_daia3 
[  1  ,E,E,0,D,E,0,D,E,E,E,D] 

1    rcv_data3 
tO,D,D,0,D,E,0,D,E,E,E,E] 

1    snd_datal 
[ 1 ,D,E,0,D,E,0,D,E,D,E,E] 

I    rcv_datal 
,D,E,1,D,D,0,D,E,E,E, 

1    snd_data2 
,D,E,O,D,E,0,D,E,E,D, 

1   rcv_data2 
[ 1 ,D,E,0,D,E, 1 ,D,D,E,E,E] 

1   snd_data3 
t 1 ,D,E,0,D,E,0,D,E,E,E,D] 


[1 
[1 


E] 
E] 


rev  daia3 


Figure  6:  Global  reachability  analysis  for  the  example  protocol 

Thus,  for  this  protocol  we  have  6  system  states,  and  12  global  states.  For  more 
complex  protocols,  the  difference  between  these  numbers  can  be  much  more.  For  example, 
a  sliding  window  protocol  with  a  window  size  of  8  the  system  state  analysis  was  shown  to 
generate  165  states,  while  the  full  global  analysis  generated  1 1880  states  [Ref.  1]. 
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Figure  7:  System  state  analysis  for  the  example  protocol 

4.      Summary 

The  SCM  model  has  desirable  properties  which  overcome  some  of  the 
disadvantages  of  the  CFSM  model.  One  of  the  advantages  of  the  SCM  model  is  that  it 
greatly  reduces  the  number  of  state  explosion  through  the  use  of  system  state  analysis.  In 
some  cases,  however,  the  system  state  analysis  is  not  sufficient  for  protocol  analysis,  and 
some  other  method  -  such  as  global  analysis  -  must  be  done.  A  problem  with  the  system 
state  analysis  is  the  loops  in  the  state  machines  which  may  cause  an  insufficient  analysis. 
This  problem  is  illustrated  with  an  example  in  Chapter  V. 

Another  advantage  of  SCM  model  is  that  it  allows  communication  between 
machines  in  nonsequential  manner,  unlike  a  FIFO  queue  representation  in  the  CFSM 
model.  The  SCM  model  specification  is  also  easier  to  understand  than  the  CFSM  model  for 
more  complex  protocols. 
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III.  SIMPLE  MUSHROOM:  A  PROGRAM  FOR  AUTOMATING  CFSM 

REACHABILITY  ANALYSIS 


This  Chapter  and  the  next  Chapter  will  describe  a  program  called  mushroom,  which 
was  written  in  the  Ada  programming  language.  Mushroom  automates  the  reachability 
analysis  of  protocols  specified  by  the  CFSM  and  the  SCM  models.  The  Mushroom  program 
was  first  developed  as  two  separate  programs.  The  first  program  called  simple  mushroom, 
automates  the  CFSM  analysis.  The  second  program  automates  either  system  state  analysis 
(smart  mushroom),  or  the  full  global  analysis  (big  mushroom)  for  a  protocol  specified 
formally  by  the  SCM  model.  The  General  structure  of  the  Mushroom  program  is  shown  in 
Figure  8. 


CFSM 
Specification 


Simple 
Mushroom 


Global 

Reachability 

Analysis 


SCM 
Specification 


Big 
Mushroom 


Global 

Reachability 

Analysis 


Smart 
Mushroom 


System 

State 

Analysis 


Figure  8:  General  structure  of  Mushroom  program 
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The  Simple  Mushroom  program,  is  described  in  this  chapter  in  four  sections:  program 
structure,  inputs  to  the  program,  generating  the  reachability  analysis,  and  outputs  of  the 
program. 

A.     PROGRAM  STRUCTURE 

The  Simple  Mushroom  program  consists  of  Ada  subprograms  (procedures  and 
functions),  which  are  separate  compilation  units  and  subunits  of  compilation  units.  Related 
subprograms  are  also  gathered  in  the  same  files.  The  compilation  units  of  the  program  are 
shown  in  Table  2.  Procedure  main  is  the  parent  unit.  All  of  the  subprograms  are  the 
subunits  of  procedure  main.  [Ref.  1 3] 

TABLE  2:  SIMPLE  MUSHROOM  PROGRAM  COMPILATION  UNITS 


Compilation  Unit 

Description 

File  name 

main  (procedure) 

This  is  the  parent  unit.  Contains 
the  main  data  structures,  global 
variables,  and  the  driver. 

tmain.a 

load_machine_array 
(procedure) 

Builds  the  adjacency  lists  from 
FSMs. 

tinput.a 

read_in_file  (procedure) 

Parses  the  input  FSM  text  file. 

tinput.a 

build_Gstate_graph 
(procedure) 

Generates  the  reachability  graph. 

treachability.a 

IsEqual  (function) 

Compares  two  global  states  for 
equality. 

treachability.a 

hash  (function) 

Generates  an  index  number 
according  to  the  hashing  function. 

treachability.a 

clear_pointers  (procedure) 

Deallocates  the  dynamic  memory 
space  for  another  analysis. 

treachability.a 

find_tuple  (function) 

Searches  the  reachability  graph 
for  the  equivalent  tuples  using 
external  (open)  hashing. 

tsearch.a 

18 


Compilation  Unit 

Description 

File  Name 

clear_hash_array 
(procedure) 

Clears  the  hash  array  and 
deallocates  the  memory. 

tsearch.a 

Print  Queue  (procedure) 

Prints  the  FIFO  queues. 

toutput.a 

output_Gstate_transition 
(procedure) 

Outputs  the  transition  name. 

toutput.a 

output_Gstate_node 
(procedure) 

Outputs  the  machine  states, 
unspecified  receptions,  and 
the  states  with  deadlocks. 

toutput.a 

output_machine_arrays 
(procedure) 

Outputs  the  FSM  description  in 
a  tabular  format. 

toutput.a 

output_unexecuted_transi- 
tions  (procedure) 

Outputs  the  unexecuted  transitions. 

toutput.a 

create_output_file 
(procedure) 

Creates  an  output  file  for  storing 
the  analysis  results. 

toutput.a 

output_analysis  (procedure) 

Driver  for  the  output  subprograms. 

toutput.a 

system_call  (procedure) 

Interface  procedure  for  Unix 
system  calls  via  C. 

tsystem.a 

message_queues 
(package) 

Implements  the  queue  operations 
for  the  FIFO  communication 
channels. 

tqueues.a 

pointer_queues 
(generic  package) 

Implements  the  queue  operations 
for  the  pointer  queue  that  stores  the 
globals  tuples  temporarily. 

tqueues_2.a 
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The  method  of  splitting  the  program  into  separate  compilation  units  has  permitted  a 
hierarchical  program  development. 

B.     INPUT 

The  CFSM  specification  of  a  protocol  consists  of  only  FSMs  of  the  communicating 
machines.  In  the  program,  FSMs  are  represented  with  a  text  file.  The  user  enters  the 
directed  graphs  as  a  text  file  using  some  reserved  words,  numbers,  and  characters 
representing  the  machines,  states  and  the  transitions.  The  list  of  reserved  words  and  the 
syntax  for  the  FSM  text  description  are  shown  in  Figure  9  in  Backus-Naur  Form  (BNF). 

reserved_word  ::=  start 

I  number_of_machines 

I  machine 

I  state 

I  trans 

I  initial_state 

I  finish 
number_of_machines    <machine_number> 
machine    1  I  <machine_number> 
state    <state_number> 

trans  "^    m    j<messagexnext_statexnext_machine> 

initial  state    <state_number>  <state_number>  [<state_number>]  [<state_number>] 
[<state_number>]  [<state_number>]  [<state_number>]  [<state_number>] 
<machine_number>  ::=  2I3I4I5I6I7I8 
<state_number>  ::=0I2I3I 150 

{<letter>  "l  rr<letter>  t  n  r  r<letter>    it 
<digit>    jL  L  <digit>    jJLi<digit>     J  J 

<next_state>  ::=  <state_number> 
<next_machine>  ::=  II  <machine_number> 
<letter>  ::=  albL.lzlAIBL.IZ 
<digit>::=0UI2l3l4l5l6l7l8l9 

Figure  9:  Syntax  for  the  text  description  of  FSM 
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As  can  be  seen  from  Figure  9,  the  maximum  number  of  machines  allowed  is  eight,  and 
the  number  of  states  for  each  machine  can  be  from  0  to  50.  Transition  names  must  be  at 
most  three  characters  long  and  may  be  any  combination  of  letters  or  digits.  These 
constraints  can  be  relaxed  with  slight  modifications  to  the  program,  if  necessary. 

The  input  file  for  the  example  protocol  in  Chapter  II  for  the  CFSM  model  is  shown  in 
Figure  10.  For  example,  "trans  -D3  3  2"  represents  a  transition  from  state  1  to  state  3  (first 
number)  in  machine  1  sending  ("-"  sign)  the  message  "D3"  to  machine  2.  "Initial_state  1  1 
1"  means  that  the  initial  states  of  machine  1,  machine  2,  and  machine  3  are  state  1. 

start 

number_of_machines  3 

machine  1 

state  1 

trans  -D3  3  2 

trans  -DO  2  2 

state  2 

trans  +D2  1  3 

machine  2 

state  1 

trans  +D3  3  1 

trans  +D0  2  1 

state  2 

trans  -Dl  1  3 

machine  3 

state  1 

trans  +D2  2  2 

state  2 

trans  -D4  3  1 

trans  -D2  1  1 

initial_statc  1  1  1 

finish 

Figure  10:  Text  file  description  of  the  FSM 

First,  this  file  is  parsed  by  read_in_file  procedure  and  tokens  are  generated.  Then, 
Load_machine_array  procedure  constructs  an  adjacency  list  which  represents  the  FSMs. 
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The  data  structure  for  the  adjacency  list  is  shown  below: 

type  cfsm_transition_type  is  (s,r,u); 
type  visit_type  is  (yes,no); 
type  state_type  is  range  0..50; 
type  next_machine_type  is  range  1..8; 
type  machine_array_record_type; 
type  Slink_tupe  is  access  machine_anay_record_type; 
type  machine_array_record_type  is 
record 

transition  :  cfsm_transition_type  :=  u; 

message  :  message_queue.message_queue_type; 

next_Mstate        :  state_type  :=  0; 

other_machine    :  next_machine_type  :=  1; 

visited  :  visit_type  :=  no; 

Slink  :  Slink_type  :=  null; 

end  record; 
type  machine_array_type  is  array(state_type  range  0..50)  of  Slink_type; 
type  system_array_type  is  array(next_machine_type  range  1  ..8)  of  machine_array_type; 

The  adjacency  list  for  the  example  protocol  is  depicted  in  Figure  12.  This  adjacency 
list  is  used  for  constructing  the  global  reachability  graph.  The  adjacency  list  contains  all  the 
necessary  information  for  generating  the  global  reachability  graph. 

The  user  also  provides  the  name  of  the  text  input  file  and  a  file  name  for  storing  the 
analysis  results.  Input  file  name  must  end  with  ".fsm"  extension  to  prevent  confusion.  The 
output  file  name  must  be  no  more  than  20  characters  long. 

C.     REACHABILITY  ANALYSIS 

After  reading  the  input  file  the  program  starts  generating  the  global  reachability  graph. 
The  program  uses  the  adjacency  list  and  the  initial  state  to  construct  the  global  reachability 
graph.  Starting  with  the  initial  state,  the  new  states  are  added  and  linked  to  the  graph 
dynamically.  The  algorithm  to  construct  the  global  reachability  graph  is  given  in  Figure  13. 

During  the  graph  construction,  the  program  also  detects  the  global  states  with 
deadlocks  and  unspecified  receptions.  The  program  also  finds  the  maximum  message 
queue  size  and  channel  overflows.  Analysis  results  are  stored  in  the  output  file  in  parallel 
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Figure  12:  Adjacency  list  for  the  example  ring  protocol  in  Chapter  II 
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with  the  graph  construction.  This  prevents  the  traversal  of  the  entire  graph  one  more  time 
at  the  end  of  the  program  and  decreases  the  run  time. 


loop  (main  loop) 
for  index  1  in  1  ..  total jtumber _of jnachines  loop 
place  holder (indexl ')  :=  machine _array(  index] )  (M_state(  index])) 
while  (place  Jiolder(index)  I-  null)  loop 
loop 
if  (place  holder  (index] ). transition  =  s)  then 
Enqueue  the  message  into  the  corresponding  message  queue 
search  the  graph  for  this  new  global  state  tuple 
if  not  found  then  create  a  new  node  and  link  to  the  graph 
Enqueue  this  new  node  to  the  pointer _queue 
else  link  the  transition  to  found  global  state  tuple 
else 
ij r(place  holder  (index] ').  transition)  =  r  and  at  least  one  of  the  message  queues  for 
this  machine  is  not  empty  then 
find  this  message  queue  and  Dequeue 
search  the  graph  for  this  new  global  state  tuple 
if  not  found  then  create  a  new  node  and  link  to  the  graph 

Enqueue  this  new  node  to  the  pointer _queue 
else  link  the  transition  to  found  global  state  tuple 
end  if; 

place  holder ( index] )  .  =  place _holder(  indexl ). Slink 
exit 
end  loop 
end  loop 
end  loop 
if  pointer  queue  empty  then 

exit 
else 

Dequeue  pointer  queue  and  update  M_statefor  this  new  node 
end  if 
end  loop  (main  loop) 

Figure  13:  Algorithm  for  generating  global  reachability  graph  for  CFSM 


One  of  the  most  time  consuming  procedures  is  the  search  algorithm  for  detecting  if  a 
node  was  previously  created.  The  previous  version  of  the  program  [Ref.  8]  used  a  depth 
first  search  I  breadth  first  search  in  a  recursive  manner.  In  this  program,  the  search  is  made 
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more  efficient  using  a  hashing  algorithm.  The  hash  function  is  obtained  from  the  machine 
states  of  the  global  tuple  which  has  provided  an  efficient  mapping.  Therefore,  the 
complexity  of  the  search  algorithm  is  0(1)  when  the  hash  function  generates  a  distinct 
index  (no  collision)  and  O(n)  when  the  same  index  is  generated,  where  n  is  the  number  of 
hash  collisions  for  that  state.  In  many  sample  runs  of  the  program,  the  complexity  was  (9(1) 
for  about  30%  of  the  global  states,  and  3  nodes  had  to  be  traversed  on  the  average  for  70% 
of  the  global  states.  The  reachability  analysis  is  limited  by  the  storage  capacity  of  the 
computer.  The  run  time  is  also  another  factor  that  must  be  considered.  The  largest  analysis 
carried  out  by  the  program  thus  far  has  generated  about  160,000  states  in  12  hours  for  a  six 
machine  protocol  specification.  Some  alternative  methods  for  improving  the  efficiency  of 
the  program  and  analysis  size  using  other  search  techniques  are  discussed  in  Chapter  VI. 

The  structure  of  a  global  node  is  shown  in  Figure  14.  The  maximum  number  of 
outgoing  transitions  is  limited  to  7,  which  can  be  increased  if  needed.  Also,  a  maximum 
channel  capacity  of  6  messages  is  introduced  to  ensure  that  the  analysis  eventually  stops. 

D.     OUTPUT 

The  program  stores  the  analysis  results  in  a  file  named  by  the  user  during  the 
reachability  graph  construction.  This  file  contains  the  specification  in  a  tabular  format, 
reachability  graph  and  the  results  of  the  analysis  consisting  of  the  number  of  states 
generated,  number  of  states  analyzed,  number  of  deadlocks,  number  of  unspecified 
receptions,  maximum  message  queue  size  and  number  of  channel  overflows.  Global  states 
with  deadlocks  and  unspecified  receptions  are  also  marked  in  the  reachability  graph.  The 
output  file  also  lists  the  unexecuted  transitions.  A  menu  is  displayed  at  the  end  of  the 
analysis.  From  this  menu  the  user  has  the  option  of  displaying  or  printing  the  results  or 
continuing  the  program  for  another  analysis. 
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If  the  analysis  generates  more  than  2000  states,  the  program  gives  an  interim  summary 
of  the  analysis  and  asks  the  user  if  they  would  like  to  continue.  If  the  user  wishes  to 
continue,  analysis  proceeds  in  steps  of  1000  states  until  the  analysis  ends  or  the  user 
terminates  the  analysis  (as  long  as  memory  is  available).  For  analyzing  large  protocols,  the 
number  of  states  between  these  "stops"  can  be  made  larger  (for  example,  increments  of 
5000  or  10000).  The  program  output  for  the  example  protocol  in  Chapter  II  is  given  in 
Figure  15. 
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Figure  14:  Global  state  structure  with  outgoing  transitions 
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Figure  15:  Program  output  for  the  example  ring  protocol 
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IV.  SMART  AND  BIG  MUSHROOM:  A  PROGRAM  FOR  AUTOMATING  SCM 

REACHABILITY  ANALYSIS 


In  this  Chapter,  programs  that  automate  either  system  state  analysis  (smart 
mushroom),  or  the  full  global  analysis  (big  mushroom)  for  a  protocol  specified  by  SCM 
are  described.  The  program  is  described  in  four  sections:  general  program  structure,  inputs 
to  the  program,  generating  the  reachability  graph,  and  outputs  of  the  program. 

A.     PROGRAM  STRUCTURE 

Program  structure  of  Smart  Mushroom  and  Big  Mushroom  are  similar  to  the  structure 
of  Simple  Mushroom.  The  SCM  model  specification  is  more  complicated  than  the  CFSM 
specification,  but  this  complexity  in  the  specification  brings  some  advantages  to  the 
analysis  as  mentioned  in  Chapter  II.  A  protocol  specified  by  the  SCM  model  consists  of 
FSMs,  variable  definitions,  and  predicate-action  table,  rather  than  just  the  FSMs  as  in 
CFSM  model. 

FSMs  are  entered  into  the  program  in  the  same  manner  as  in  Simple  Mushroom 
program  using  a  text  file.  The  variable  definitions  and  predicate-action  table  must  also  be 

entered  into  the  program.  The  user  enters  these  parts  by  completing  Ada  packages    and 
subprograms  using  the  templates  provided. 

The  compilation  units  for  the  program  are  shown  in  Table  3.  The  user  has  access  to  the 
last  four  packages/subprograms.  Once  the  user  completes  these  subprograms  using  the 
templates  and  compiles  them  with  the  other  compilation  units,  the  analysis  of  the  specified 


1 .  Ada  packages  are  one  of  the  four  forms  of  program  unit,  of  which  programs  can  be  composed. 
The  other  forms  are  subprograms,  task  units,  and  generic  units.  Packages  allow  the  specification  of 
groups  of  logically  related  entities.  In  their  simplest  form  packages  specify  pools  of  common  object 
and  type  declarations.  [Ref .  1 3] 
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protocol  can  be  performed.  Construction  of  the  specification  in  the  form  of  Ada  packages 
and  subprograms  is  explained  in  the  next  section. 

TABLE  3:  SMART  AND  BIG  MUSHROOM  PROGRAM  COMPILATION  UNITS 


Compilation  Unit 

Description 

File  name 

Main  (procedure) 

This  is  the  parent  unit.  Contains  the 
main  data  structures,  global  vari- 
ables, and  the  driver. 

smain.a 

load_machine_array 
(procedure) 

Builds  the  adjacency  lists  from 
FSMs. 

sinput.a 

read_in_file  (procedure) 

Parses  the  input  FSM  text  file. 

sinput.a 

build_Gstate_graph 
(procedure) 

Generates  the  global  reachability 
graph. 

sg_reachability.a 

build_system_state_graph 
(procedure) 

Generates  the  system  reachability 
graph. 

sg_reachability.a 

hash  (function) 

Generates  an  index  number 
according  to  the  hashing  function. 

sg_reachability.a 

clear_pointers  (procedure) 

Deallocates  the  dynamic  memory 
space  for  another  analysis. 

sg_reachability.a 

search_for_Gtuple 
(function) 

Searches  the  reachability  graph 
for  the  equivalent  global  tuples 
using  hashing. 

sg_search.a 

clear_hash_array 
(procedure) 

Clears  the  hash  array  and  deallocates 
the  memory  for  global  reachability 
analysis. 

sg_search.a 

search_for_Stuple 
(function) 

Searchs  the  reachability  graph 
for  the  equivalent  system  tuples 
using  hashing. 

sg_search.a 

clear_hs_hash_array 
(procedure) 

clears  the  hash  array  and  deallocates 
the  memory  for  system  state 
analysis. 

sg_search.a 

output_Gstate_node 
(procedure) 

Outputs  the  machine  states,  and 
states  with  deadlock  for  global 
reachability  analysis. 

sg_output.a 
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Compilation  Unit 

Description 

File  Name 

output_sys_node 
(procedure) 

Outputs  machine  states,  and 
states  with  deadlock  for  system 
state  analysis. 

sg_output.a 

output_Gstate_transition 
(procedure) 

Outputs  the  transition  name  for 
global  reachability  analysis. 

sg_output.a 

output_sys_transition 
(procedure) 

Outputs  the  transition  name  for 
system  state  analysis. 

sg_output.a 

output_unexecuted_transi- 
tions  (procedure) 

Outputs  the  unexecuted  transitions. 

sg_output.a 

output_machine_arrays 
(procedure) 

Outputs  the  FSM  description  in 
a  tabular  format. 

sg_output.a 

output_analysis 
(procedure) 

Driver  for  the  output  subprograms. 

sg_output.a 

system_call  (procedure) 

Interface  program  for  Unix 
system  calls  via  C. 

ssystem.a 

queues  (generic  package) 

Implements  the  queue  operations 
for  the  pointer  queue  that  stores 
the  nodes  temporarily. 

squeues.a 

stacks  (generic  package) 

Implements  the  stack  operations 
for  storing  enabled  transitions. 

sstacks.a 

definitions  (package) 

Includes  user  defined  local  and 
shared  variables. 

named  by  the 
user 

Analyze_Predicates 
(procedure)  there  is  one 
for  each  machine 

Determines  the  enabled  transitions 
from  the  predicates. 

named  by  the 
user 

Action  (procedure) 

Executes  the  actions  for  the 
enabled  transitions. 

named  by  the 
user 

output_gtuple  (procedure) 

Outputs  the  global  state  tuples  in 
a  format  defined  by  the  user. 

named  by  the 
user 
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B.     INPUT 

The  inputs  to  the  program  consists  of  three  parts,  as  mentioned  earlier.  FSMs  are 
entered  using  a  text  file  representation  as  in  Simple  Mushroom  program.  Variables  and 
predicate- action  table  are  entered  as  Ada  packages/subprograms.  The  user  needs  to 
complete  these  packages  and  subprograms  by  filling  in  templates  provided. 

The  Ada  package  template  for  the  variable  declarations  is  called  "definitions."  The 
predicate- action  table  is  entered  using  an  Ada  subprogram  template  which  consists  of  one 
procedure  named  "Action"  and  two  to  eight  procedures  called 
"Analyze_Predicates_Machine*"  according  to  the  number  of  machines  in  the  protocol. 
The  "*"  at  the  end  of  the  procedure  name  is  replaced  by  the  corresponding  machine  number 
for  each  machine  in  the  protocol. 

After  completing  the  templates  described  above,  the  user  must  compile  these  units 
with  the  other  compilation  units  listed  in  Table  3.  The  program  units  can  be  compiled  by 
entering  a  "make"  command.  The  "make"  command  executes  a  list  of  shell  commands  in 
the  "Makefile"  file  which  contains  the  commands  for  compiling  the  program  units 
according  to  their  dependencies.  After  issuing  the  "make"  command,  the  executable  file  is 
stored  in  a  file  named  "scm."  The  "Makefile"  is  provided  to  the  user  with  the  mushroom 
program. 

Each  of  these  program  units  will  be  explained  in  the  following  subsections.  The 
example  ring  protocol  described  in  Chapter  II  is  also  used  to  illustrate  how  to  complete  the 
templates. 

1.     Finite  State  Machines 

There  are  a  few  differences  in  the  FSM  description  of  Smart  and  Big  Mushroom 
programs  from  Simple  Mushroom  program.  The  same  reserved  words  are  used  to  write  the 
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FSM  text  file.  These  are  listed  in  Figure  9.  The  syntax  changes  that  must  be  made  to  this 
form  are  shown  in  Figure  16. 

In  the  SCM  model,  explicit  machine  numbers  to  show  which  machine  the 
message  sent  to  or  received  from  are  not  needed  for  the  transition  names.  Since  shared 
variables  are  used  for  communication  between  machines,  this  information  is  included  in  the 
predicate-action  table.  The  FSM  text  file  for  the  example  ring  protocol  is  shown  in  Figure 

17. 

trans  <transition  name>  <next_state> 
<transition  name>  ::=  <identifier> 
<identifier>  ::=  {[underline]  I  letter_or_digit) 
<letter_or_digit>  ::=  <letter  >  I  <digit> 

Figure  16:  Syntax  changes  for  FSM  description  of  SCM  model 


start 

number_of_machines  3 

machine  1 

state  0 

trans  snd_datal  1 

state  1 

trans  rcv_data3  0 

machine  2 

state  0 

trans  rcv_datal  1 

state  1 

trans  snd_data2  0 

machine  3 

state  0 

trans  rcv_data2  1 

state  1 

trans  snd_data3  0 

initial_state  0  0  0 

finish 

Figure  17:  Text  file  description  of  the  example  ring  protocol 
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The  FSM  text  file  is  read  by  the  input  procedures  and  the  adjacency  list,  which  is 
used  during  the  construction  of  system  and  global  reachability  graphs  is  generated.  The  data 
structure  for  the  adjacency  list  is  shown  in  Figure  18. 


visit_type  is  (yes,  no); 
type  machine_array_record_type; 
type  Slink_type  is  access  machine_array_record_type; 
type  machine_array_record_type  is 
record 

transition  :  scm_transition_type  :=  unused; 

next_Msiate       :  natural  :=  0; 

visited  :  visit_type  :=  no; 

Slink  :  Slink_type  :=  null; 

end  record; 
type  machine_array_type  is  array(integer  range  0 ..  50)  of  Slink_type; 
type  system_array_type  is  array  (1  ..  num_of_machine)  of  machine_array_type; 

Figure  18:  Data  structure  for  the  adjacency  list. 


2.     Variable  Definitions 

The  user  defines  the  protocol  variables  in  an  Ada  package  named  definitions.  This 
package  includes  the  local  variables  for  each  machine  and  the  global  variables,  which  are 
considered  shared  and  allow  communication  between  machines.  A  variable  can  be  one  of 
the  Ada  defined  types  such  as:  integer,  array,  string,  record,  character,  boolean,  etc.  These 
types  and  their  subtypes  are  used  to  define  the  protocol  variables. 

The  template  for  the  definitions  package  is  given  in  Figure  19.  The  shaded  areas 
show  where  the  variables  of  the  protocol  are  inserted  by  the  user.  Additional  type 
declarations  should  be  placed  before  the  machine  type  declarations. 

The  variable  declarations  for  the  example  ring  protocol  is  also  shown  in  Figure 
20.  The  local  variables  of  the  protocol  are:  inbuffl,  in_buff2,  in_buff3,  outjbuffl, 
out_buff2,  and  out_buff3.  The  shared  variables  are:  CHANl,  CHAN2  and  CHAN3.  The 
type  definition,  Dummy  type  is  placed  in  each  of  the  local  variable  declarations  of 
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machines  in  case  the  protocol  has  less  than  eight  machines.  When  declaring  the  local 
variables  for  each  machine,  this  dummy  variable  can  be  deleted  from  the  corresponding 
machine.  The  initial  values  of  the  variables  are  also  assigned  with  the  variable  declarations. 


with  TEXTJO; 

use  TEXTJO; 

package  definitions  is 
num_of_machines :  constant  := 
type  scm_transiUon_type  is  ( 
type  dummy_type  is  range  1..255 

type  machine l_state_type  is 
record 
dummy  :  dummy_type; 

end  record; 


Number  of  machines  in  the  specification 
(can  be  2  to  8) 


Transition  names  of  FSMs 


type  machine8_state_type  is 
record 
dummy  :  dummy_type; 

end  record; 
type  global_variable_type  is 
record 


end  record; 
end  definitions; 


Local  variables  for  machines  1  to  8 


Global  (shared)  variables 


Figure  19:  Template  for  definitions  package 


3.     Predicate-Action  Table 

The  predicate-action  table  is  represented  by  a  number  of  subprograms  as  separate 
compilation  units.  These  subprograms  are  named  Analyze  Predicates  and  are  used  to 
determine  the  enabled  transitions  for  each  machine.  The  procedure  named  Action  executes 
the   actions   to   be   taken   for  the   corresponding   enabled   predicates.   There   is   one 
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Analyze  Predicates  procedure  for  each  machine  and  one  Action  procedure  for  the  protocol. 
The  template  for  the  Analyze  Predicates  procedure  is  shown  in  Figure  21. 


with  TEXTJO; 
use  TEXTJO; 
package  definitions  is 

num_of_machines  :  constant  :=  3; 

type  scm_transition_type  is  (snd_datal,rcv  data3,snd  data2, 

rev  data I,snddata3,rcvdata2,unused); 
type  buffertype    is  (D,E  ); 

package  buffenumio  is  new  enumeration  io  (buffer  type); 
use  buff  enumio; 
type  dummy_type  is  range  1..255; 

type  machine  l_state_type  is 
record 

outbuffl  :  buffertype  :=  D; 
in  buffi  :  buffer_type:=  E; 
end  record; 
type  machine2_state_type  is 
record 

out_buff2, 

in  buff2    :  buffer_type:=  E; 
end  record; 
type  machine3_state_type  is 
record 

out_buff3, 

in_buff3    :  buffertype  :=  E; 
end  record; 

type  machine4_state_type  is 
record 

dummy :  dummy_type; 
end  record; 


type  machine8_state_type  is 
record 

dummy  :  dummy_type; 
end  record; 

type  global_variable_type  is 
record 

CHANl, 

CHAN2, 

CHAN3  :  buffer  type  :=  E; 
end  record; 

end  definitions; 

Figure  20:  Completed  Definitions  package  for  the  example  ring  protocol 
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separate(main) 

procedure  Analyze_Predicates_machinel (local :  machine l_state_type; 

global :  globaI_variable_type; 
s :  natural; 

w  :  in  out  transition_stack_package.stack)  is 
begin 
case  sis  ^^  Enabling  condition 

when  0  => 

if(      ■  ^f  )then 

push(w, 
end  if; 


when  1  => 


Enabled  transition 


when  others  => 
null; 
end  case; 
end  Analyze_Predicates_machinel; 


Figure  21:  Template  for  Analyze  Predicates  procedures 

The  user  completes  the  template  for  each  state  of  the  machines.  For  each  machine 
state  there  is  one  "when"  statement.  "If  statements  specify  the  predicates  for  possible 
transitions  from  the  current  state.  The  "Push"  statement  stores  these  transitions  in  the  stack. 
Since  more  than  one  transition  can  be  enabled  in  some  states,  a  stack  is  used  to  store  all 
possible  transitions.  The  "s"  parameter,  in  the  formal  parameter  list  of  the  procedure,  passes 
the  machine  state;  and  the  "w"  parameter  passes  the  stack  name  to  the  procedure.  The  file 
for  the  example  ring  protocol  is  given  in  Figure  22. 

The  template  for  the  Action  procedure  is  shown  in  Figure  23.  The  enabled 
transitions  are  passed  into  this  procedure  through  the  "in_transition"  formal  parameter  and 
the  necessary  changes  are  made  to  the  local  and  shared  variables  by  the  Action  procedure. 
The  "out_system_state"  parameter  passes  the  changed  protocol  variables  to  the  calling 
procedure.  The  completed  A ction  procedure  is  shown  in  Figure  24.  Text  in  boldface  shows 
the  user  defined  parts. 
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separate  (main) 

procedure  Analyze_Predicates_Machinel(local :  machine  1  _stale_type;  GLOBAL:  global_variable_type; 

s  :  natural;  w  :  in  out  transition  slack _package. suck)  is 
begin 
case  s  is 
when  0  => 
if(  (GLOBAL.CHAN1  =  E)  and  ( LOCAL.out_burTl  /=  E) )  then 

Push(w,snd_datal); 
end  if; 
when  1  => 
if  (GLOBAL.CHAN3  /=  E)   then 

Push(w,rcv_data3); 
end  if; 
when  others  => 
null; 
end  case; 
end  Analyze_Predicates_Machinel; 
separate  (main) 
procedure  Analyze_Predicates_Machine2(local  :  machine2_state_type;  GLOBAL:  global_variable_type; 

s:  natural;  w  :  in  out  transition_stack_package.stack)  is 
begin 
case  s  is 
when  0  => 
if  (GLOBAL.CHAN1  /=  E)  then 

Pu  sh(w,rcv_data  1 ); 
end  if; 
when  1  => 
if  ( (GLOBAL.CHAN2  =  E)  and  (local.out_bufT2  /=  E)  )  then 

Push(w,snd_data2); 
end  if; 
when  others  => 
null; 
end  case; 
end  Analyze_Predicates_Machine2; 
separate  (main) 
procedure  Analyze_Predicates_Machine30ocal  :  machine3_state_type;  GLOBAL:  g!obal_variable_type; 

s  :  natural;  w  :  in  out  transition  stack,   package  stack)  is 
begin 
case  s  is 
when  0  => 
if  (  GLOBAL.CHAN2  /=  E  )  then 
push(w,rcv_daia2); 
end  if; 
when  1  => 
if  ( (GLOBAL.CHAN3  =  E )  and  (local.outbufTC  /=  E)  )  then 

push(w,snd_data3); 
end  if; 

when  others  => 
null; 
end  case; 
end  Analyze_Predicates_Machine3; 
separate  (main) 
procedure  Analyze_Predicates_Machine4(local  :machine4_state_lype;  GLOBAL:  global_variable_type; 

s  :  natural;  w  :  in  out  transition  stackpackage. slack )  is 
begin 
null; 
end  Analyze_Predicates_Machine4; 


separate  (main) 

procedure  Analyze_Predicates_Machine80ocal  :  machine8_state_type;.  GLOBAL:  global_variable_type; 

s  :  natural;  w  :  in  out  transition_stack_package. stack)  is 
begin 
null; 
end  Analyze_Predicates_Machine8; 

Figure  22:  Completed  Analyze  Predicates  procedures  for  the  example  ring  protocol 
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separaie(main) 

procedure  Action  ( in_system_sute  :  in  out  Gstate_record_type; 

in_transilion  :  in  out  scm_tnuisition_type; 

out_system_state  :  in  out  GsUte_record_type  )   is 
begin 

case  ^transition J&.  — ■*  E 
when  |  l=> 

Action  taken 


when  others  => 

put("  Error  in  the  action  procedure"); 
end  case; 
end  Action; 


Figure  23:  Template  for  Action  procedure 


separate  (main) 

procedure  Action(in_system_state  :  in  out  Gslate_record_type;  in_transition     :  in  out  scm_transition_type; 

out_system_staie  :  in  out  Gstate_record_type)  is 
begin 

case  (in_transiiion)  is 

when(snd  datal)  =>  out  system_state.GLOBAL_VARIABLES.CHANl:= 
In  system  stale.machinel   state.out  buffi; 
out  system  state  machinel  state.out  buffi  :=  E; 

when  (rev  daU3)  =>  out  system  state  machinel  state. in  buffi  := 

in  system  state.GLOBAL_VARIABLES.CHAN3; 
out  system  state. machinel   state.out  buffi  :=  out  system  state.machine  I  state.lnbuffl ; 
out  system  state.G LORAL  VARIABLES.CHAN3  :=E; 

when  (snd  data2)  =>     out  system_state.GLOBAL_VARIABLES.CHAN2:= 

in  system  state. machine2  state.out  buff2; 
out_system_state.machine2_state.out  buff2  :=  E; 

when  (rev  data  I)  =>    out  system  state.machine2  state.in  buff2  := 

in  system  sUte.GLOBAL_VARIABLES.CHANl; 
out  system  state.machine2  state.out  buff2  :=  out  system  statemachine2  state.in  buff2; 
out  system_state.GLOBAL_VARIABLES.CHANl  :=E; 

when  (snd  daU3)  =>  out  system  sUte.GLOBAL  VARIABLES.CHAN3:= 

in  system  state.machine3  state.out  buff3; 
out  system   state.machine3  state.out  buff3  :=  E; 

when  (rcv_data2)  =>  out  system  state.machlne3  staU.in  buff3  := 

in  system  state.GLOBAL_VARIABLES.CHAN2; 
out_system_state.machine3_state.out_buff3  :=  out_system_state.machine3  state. inbufD; 
out  system_state.GLOBAL_VARIABLES.CHAN2  :=E; 

when  others  =>  put_line("There  is  an  error  in  the  Action  procedure"); 
end  case; 
end  Action; 

Figure  24:  Completed  Action  procedure  for  the  example  protocol 
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C.     REACHABILITY  ANALYSIS 

The  process  of  generating  the  set  of  all  states  reachable  from  the  initial  state  is  called 
reachability  analysis.  The  program  is  capable  of  generating  both  the  global  and  system 
reachability  analyses  separately  for  a  protocol  specified  formally  by  the  SCM  model. 

The  user  selects  either  global  reachability  analysis  or  system  state  analysis  from  a 
menu.  During  the  graph  construction,  the  program  also  detects  the  states  with  deadlock 
condition.  Analysis  results  are  stored  in  the  output  file  named  "rgraph.dat"  in  parallel  with 
the  graph  construction. 

Generating  the  global  reachability  analysis  and  system  state  analysis  will  be  described 
in  the  following  subsections. 

1.     Global  Reachability  Analysis 

The  structure  of  the  global  node  representation  used  for  the  program  is  shown  in 
Figure  25.  This  node  structure  also  includes  the  outgoing  transitions.  The  maximum 
number  of  outgoing  transitions  is  limited  to  7,  which  can  be  increased  if  necessary.  The 
shared  variables  are  stored  in  the  global  variables  variable  and  local  variables  are  stored 
separately  for  each  machine  in  the  machine  state*  variables. 

The  initial  global  state  is  constructed  from  both  the  FSM  text  file  and  the  initial 
values  of  the  variables  assigned  in  the  definitions  package.  All  the  outgoing  transitions  are 
set  to  null  initially.  Starting  with  the  initial  global  state,  new  nodes  are  added  and  linked  to 
the  graph.  The  algorithm  for  generating  the  global  reachability  graph  is  the  same  as  the 
algorithm  given  for  the  system  state  analysis  in  Chapter  II  except  that  the  "system  states" 
must  be  replaced  by  "global  states."  Figure  26  shows  a  pseudo-code  algorithm  to  construct 
the  global  reachability  graph. 
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system  stale  number 

GTUPLE 

machine  state 

12345678 

globalvariables 

machinel  state 

machine2  state 

• 
• 
• 

machine8  state 

LINK 

1 

Gtransition 

new  node 

qihik 

visited 

2 

• 

7 

Figure  25:  Global  state  structure  with  outgoing  transitions 

The  program  uses  hashing  for  searching  the  reachability  graph  which  increases 
the  run  time  efficiency  of  the  program.  The  reachability  analysis  is  limited  by  the  storage 
capacity  of  the  computer  and  by  the  run  time  as  in  Simple  Mushroom  program.  For 
example,  the  program  generated  31,460  global  states  for  a  sliding  window  protocol  of  two 
machines  defined  in  [Ref.  1]  for  a  window  size  of  10.  The  run  time  for  this  example  was 
about  10  minutes.  The  number  of  states  and  the  run  time  increases  greatly  as  the  number  of 
machines  in  the  protocol  increases  and  the  protocol  specifications  become  larger. 
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loop  (main  loop) 
for  index!  in  1  ..  total  jxumber _of jnac nines  loop 
position _holder(indexl )  :=  machine _array(indexl )  (M _state(indexl )) 
Determine  the  enabled  transitions  for  the  mac hine( index  1 )  and  push  into  transition  stack 
While  not  Empty(transitionstack)  loop 
while  (position  holder(indexl)  /=  null)  loop 
Traverse  the  machine  arrays  for  each  enabled  transition  in  the  stack 

if  a  transition  found  in  the  machine  arrays  create  a  temporary  node  resulting  from  this  transition 
call  Action  procedure  to  make  the  necessary  changes  to  the  variables  of  this  node 
Search  the  graph  for  this  node 
if  a  node  not  found  then 
insert  and  link  the  node  to  the  graph 
Enqueue  the  node  into  the  Gpointer _queue 
else 

link  the  node  to  the  graph 
end  if 
else 

position  holder(indexl)  .  =  position  holder (index! ). Slink 
end  if 
end  loop 
if  not  Empty(  transition  stack)  and  a  transition  not  found  in  the  machine  arrays 

pop  the  stack 
end  if; 
end  loop 
end  loop 
if  G pointer _queue  Empty  then 

exit 
else 
Dequeue  G pointer  queue 
Update  M_statefor  this  new  node 
end  if 
end  loop  (main  loop) 

Figure  26:  Algorithm  for  generating  global  reachability  graph  for  Big  Mushroom 


2.     System  State  Analysis 

The  steps  in  constructing  the  system  state  graph  are  detailed  in  Chapter  II.  The 
structure  of  a  system  state  is  shown  in  Figure  27.  Since  the  variables  are  not  part  of  the 
system  state,  system  state  nodes  are  much  smaller  than  the  global  state  nodes.  However,  in 
order  to  determine  the  enabled  transitions,  variables  are  still  needed  for  each  node  in  the 
graph.  The  program  stores  the  variables  in  secondary  storage,  instead  of  keeping  them  as  a 
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part  of  the  node,  which  decreases  the  amount  of  primary  memory  used  and  allows  the 
analysis  of  larger  and  more  complex  protocols. 

The  pseudo-code  algorithm  for  constructing  the  system  reachability  graph  is 
shown  in  Figure  28. 


systemstaten  umber 

STUPLE 

machinestate 

1 

234 

5  67  8 

subscript 

LINK 

1 

Stransition 

Syslink 

2 

• 

7 

Figure  27:  System  state  structure  for  Smart  Mushroom  program 

D.     OUTPUT 

The  program  stores  the  results  of  the  analysis  in  a  file  named  "rgraph.dat."  This  file 
contains  FSMs  in  a  tabular  format,  system/global  reachability  graph,  and  the  results  of  the 
analysis  consisting  of  number  of  states  generated,  number  of  states  analyzed,  and  number 
of  deadlocks.  Unexecuted  transitions  are  also  listed  at  the  end  of  the  analysis. 

Since  each  protocol  specification  has  different  variables,  the  user  also  has  the 
flexibility  to  output  the  desired  variables.  This  is  done  in  a  similar  manner  to  the  predicate- 
action  table  and  variable  definitions  representation  explained  earlier  using  an  Ada 
procedure  template.  The  template  for  the  Output  Gtuple  procedure  is  shown  in  Figure  29. 
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The  user  completes  the  template  with  Ada  "put"  statements  for  outputting  the  global  states. 
Since  the  system  state  tuples  do  not  include  the  variables,  there  is  no  need  to  define  an 
output  format  for  system  reachability  graph. 

loop  (main  loop) 
for  index]  in  1..  numof  trans  loop 
if  parent  JSstate. link( index!  ).S  transit  ion  /=  unused  then 
for  index!  in  1  ..  total _num_of_mac  nines  loop 
posiotion  holder  :=  machine  _arr  ay  (index!)  (M_state(index2)) 
while  position  holder  /=  null  loop 

if  position  holder. transition  =  parent  Sstate. link(  index!  ).Stransition  then 
create  a  temporary  system  state  and  store  the  corresponding  variables 
determine  the  enabled  outgoing  transitions 
search  the  system  state  graph  for  this  node 
if  node  not  found  then 
insert  the  node  and  link  to  the  graph 
Enqueue  the  node  into  sys jpointer  queue 
else 
link  the  node  to  the  graph 
end  if 
exit 
else 

position  Jtolder  :=  position  holder. Slink 
end  if 
end  loop 
if  an  enabled  transition  found  in  the  machine  arrays  then 

exit 
end  if 
end  loop 
else 

exit 
end  if 
end  loop 
if  sys _pointer  queue  empty  then 

exit 
else 
Dequeue  the  sys_pointer_queue 
update  M_state 
end  if 
end  loop  (main  loop) 

Figure  28:  Algorithm  for  generating  system  state  graph  for  Smart  Mushroom  program 


The  completed  template  for  the  outputGtuple  procedure  is  also  given  in  Figure  30. 
As  in  Simple  Mushroom  program,  if  the  analysis  generates  more  than  2000  states,  the 
program  gives  an  interim  summary  and  continues  in  steps  as  described  in  Chapter  III.  At 
the  end  of  the  program,  the  user  can  display/print  the  results  or  continue  with  another 
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system/global  state  analysis  selecting  the  desired  options  from  the  menu.  The  output  of  the 
program  for  the  example  ring  protocol  is  given  in  Figures  31  and  32. 


separate  (main) 

procedure  output_Gtuple  (tuple  :  in  out  Gstate_record_type)  is 
begin 
if  print_header  then 

new_line(2); 

set  col(5V  ^^r"  header  format  for  the  variables 

printjieader  :=  false; 
else 
put("["  &  integer'image  (tuple.machine_state  (1)) ); 
put(" , "); 

machine  1  local  variables 


put("["  &  integer'image  (tuple.machine_state  (2)) ); 
put(" , "); 


put("["  &  integer'image  (tuple.machine_state  (8)) ); 
put(","); 

m —^global  variables 

end  if; 
end  output_Gtuple; 

Figure  29:  Template  for  outputGtuple  procedure 
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separate  (main) 

procedure  output_Gtuple(tuple :  in  out  Gstate_record_type)  is 
begin 
if  print_header  then 
new_line(2); 
set_col(5); 
put_line("    ml(in_buffl,out_buffl),  m2(in  buff2,out  buff2),m3(in  bufT3,out  bu(T3), 

(CHAN1,CHAN2,CHAN3)"); 
print_header  :=  false; 
else 
put("    ["  &  integer'image(tuple.machine_state(l)) ); 
putC',"); 
buff_enum_io.put(tuple.machinel_state.in_buffl); 

put('V');  " 

buff  enumio.putduple.machinel  state.outbuffl); 

put("  ,"  &  integer'image(tuple.machine_state(2)) ); 

put(" , "); 

buffenum  io.put(tuple.machine2  state,  in  buff2); 

put(" , »); " 

buff_enum_io.put(tuple.machine2_state.out_buff2); 

put(",")5  " 

put(integer'image(tuple.machine_state(3)) ); 

put(","); 

buff_enum_io.put(tuple.niachine3_state.in_buff3); 

put(" , ");  " 

buff  enum  io.put(tuple,machine3  state.out  buff3); 

put(",");  " 

buff_enum_io.put(tuple.GLOBAL_VARIABLES.CHANl); 

put(" , ");  " 

buff_enum_io.put(tuple.GLOBAL  VARIABLES.CHAN2); 

put(" , ");  " 

bufT_enum_io.put(tuple.GLOBAL_VARIABLES.CHAN3); 

put("]");  " 
end  if; 

end  output_Gtuple; 

Figure  30:  Completed  outputGtuple  procedure  for  the  example  protocol 
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REACHABILITY  ANALYSIS  of  : ring. •em 
SPECIFICATION 


I  Machine 

1  Stat* 

Transition* 

|  From   | 

To   | 

Transition 

1    0    | 
1    1    1 

1   1 
0   I 

and  data 1 
rcv_data3 

I  Machine 

2  Stat* 

Transitions 

I  From   | 

To   | 

Transition 

1    0    | 
1    1    1 

1   1 
0   1 

rev  datal 
snd_data2 

I  Machin* 

3  Stat* 

Transitions 

I  From   | 

To   | 

Transition 

1    0    | 
1    1    1 

1   1 
0   I 

rcv_data2 
snd  data3 

GLOBAL  REACHABILITY  GRAPH 
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SUMMARY  OF  REACHABILITY  ANALYSIS  (ANALYSIS  COMPLETED) 

Numb*r  of  states  generated  : 12 
Number  of  states  analyzed  : 12 
Number  of  deadlocks  :  0 

UNEXECUTED  TRANSITIONS 


Figure  31:  Program  output  for  global  reachability  analysis 
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REACHABILITY  ANALYSIS  of  :ring.»cm 
SPECIFICATION 
I  Machine  1  Stat*  Transitions 
I  From   |   To   |   Transition 


I    0    |    1   |   snd_datal 
I    1    I    0   |   rev  data3 


I  Machine  2  Stata  Transitions 
I  From   |   To   |   Transition 


I 


0  |    1   |   rcv_datal 

1  I    0   |   snd  data2 


I  Machine  3  State  Transitions 
|  From   |   To   |   Transition 


I 


0  |    1   |   rcv_data2 

1  I    0   |   snd  data3 


SYSTEM  REACHABILITY  GRAPH 

0  [  0,  0,  0  ]  0  snd_datal  1 

1  [  1,  0,  0  ]  0  rcv_datal  2 

2  [  1,  1,  0  ]  0  snd_data2  3 

3  [  1,  0,  0  ]  1  rcv_data2  4 

4  [  1,  0,  1  ]  0  snd_data3  5 

5  [  1,  0,  0  ]  2  rev_data3  0 

SUMMARY  OF  REACHABILITY  ANALYSIS  (ANALYSIS  COMPLETED) 

Number  of  states  generated  : 6 
Number  of  states  analyzed  : 6 
Number  of  deadlocks  :  0 


UNEXECUTED  TRANSITIONS 

*****NOHE***** 


:„2 


Figure  32:  Program  output  for  system  state  analysis 


2.  The  number  next  to  "]"  sign  shows  the  subscripts  that  is  explained  in  Chapter  II. 
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V.  EXAMPLES  FOR  USING  THE  MUSHROOM  PROGRAM 

In  this  Chapter,  the  programs  Simple  Mushroom,  Big  Mushroom,  and  Smart 
Mushroom  are  demonstrated  with  several  examples. 

The  Simple  Mushroom  program  will  be  used  to  analyze  a  simple  example  four 
machine  protocol  which  illustrates  some  important  aspects  of  the  program,  such  as 
detecting  unspecified  receptions,  unexecuted  transitions  etc.  Also,  the  information  transfer 
phase  of  a  full  duplex  LAP-B  protocol  specified  by  the  CFSM  model  will  be  analyzed.  This 
protocol  illustrates  a  larger  and  more  complex  analysis. 

The  Big  Mushroom  and  Smart  Mushroom  programs  will  be  used  to  analyze  the  GO 
BACK  N  protocol  with  a  window  size  of  10,  and  the  Token  Bus  protocol,  which  illustrates 
some  important  aspects  of  the  system  state  analysis. 

A.     CFSM  MODEL 

1.     A  Simple  Four  Machine  Protocol 

The  specification  of  the  protocol  using  the  CFSM  model  is  shown  in  Figure  33. 
Each  of  the  machines  sends/receives  a  message/acknowledgment  from  another  machine. 
Machines  2  and  3  also  have  another  send  transition  from  state  1  to  state  3.  The  FSM 
description  of  the  protocol  is  shown  in  Figure  34,  and  analysis  results  obtained  by  the 
Simple  Mushroom  program  are  shown  in  Figure  35.  The  analysis  generated  36  global  states. 
There  are  three  unspecified  receptions  and  one  unexecuted  transition.  No  deadlocks  or 
channel  overflows  are  recorded.  The  maximum  channel  size  is  2.  These  results  are  obtained 
by  simply  entering  the  FSM  text  file  into  the  program.  This  analysis  would  be  very 
cumbersome  to  do  manually,  even  for  a  simple  specification  like  this  one. 
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+A,m3 


MACHINE  1 

l 
•D,m2 


MACHINE  2 

•D.m3 


+  D,m4 


+  D,ml 


<D 


MACHINE  3 

^Q    -A,ml   ,Q 
+D,m2 


MACHINE  4 


-D,m4( 


-D,m2 


© 


+D,m3 


Figure  33:  Specification  for  the  example  four  machine  protocol 


stan 

number_of_machines  4 

machine  1 

state  1 

trans  -D  2  2 

state  2 

trans  +A  1  3 

machine  2 

state  1 

trans  -D  3  3 

trans  +D  2  1 

state  2 

trans  +D  1  4 

machine  3 

state  1 

trans  -A  3  1 

trans  +D  2  2 

state  2 

trans  -D  1  4 

machine  4 

state  1 

trans  +D  2  3 

state  2 

trans  -D  1  2 

initial_state  1111 

finish 


Figure  34:  FSM  text  file  for  the  example  protocol 
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UNEXECUTED    TRANSITIONS 


1 

Machlna 

2    Onaxacutad  Tranaitiona           | 

|  From 

1   To   | 

other  machlna  |  Onaxacutad  Tranaition  | 

1    2 

1  1    1 

4          I          r   D           | 

Figure  35:  Program  output  for  the  example  protocol 
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2.     Analysis  of  Information  Transfer  Phase  of  the  L  AP-B  Protocol 

In  this  Section,  analysis  of  a  Data  Link  Control  (DLC)  protocol  is  described  using 
the  Simple  Mushroom  program.  The  LAP-B  protocol  is  modeled  and  analyzed  with  CFSM 
model  [Ref.  14].  A  simplified  analysis  of  the  information  transfer  phase  of  the  protocol, 
which  includes  only  I-firames  with  a  window  size  of  2,  will  be  described  below. 

This  analysis  is  important  in  two  ways.  First,  it  verifies  that  the  program  is  correct 
by  obtaining  the  same  analysis  results  as  in  [Ref.  14].  Secondly,  it  is  a  good  example  to 
show  that  the  total  number  of  global  states  can  be  very  large,  even  for  such  a  limited 
protocol.  The  description  of  the  information  transfer  phase  is  explained  below  as  it  appears 
in  [Ref.  14]. 

The  network  nodes,  which  are  connected  by  the  protocol,  consist  of  a  Data 
Terminal  Equipment  (DTE)  and  a  Data  Circuit  Terminating  Equipment  (DCE).  In  this 
model,  DTE  and  DCE  are  considered  process  1  and  process  2  respectively.  Each  of  these 
processes  are  also  modeled  as  three  sub-processes:  Sender,  Receiver  and  Frame  Assembler 
Disassembler  (FAD),  which  are  numbered  as  1  or  2  according  to  their  process  numbers. 

Figure  36  shows  the  processes  and  how  they  are  connected.  The  FAD  process 
combines  data  blocks  from  the  Sender  with  acknowledgments  from  the  Receiver,  into 
complete  I-frames  and  sends  the  I-frames  to  the  FAD  of  the  other  process.  The  FAD  also 
breaks  up  the  I-frames  received  from  the  other  FAD  and  sends  the  acknowledgment  to  the 
Sender,  and  data  blocks  to  the  Receiver. 

I-frames  are  expressed  by  the  notation  "Inm",  where  n  is  the  send  sequence 
number  N(S),  and  m  is  the  receive  sequence  number  N(R).  The  message  "Di"  is  a  data 
block  sent  from  the  Sender  to  the  FAD,  or  from  the  FAD  to  the  receiver;  it  is  the  data  block 
which  is  to  be  placed  in,  or  which  is  taken  out  of,  the  I-frame.  The  "i"  in  "Di"  is  the  send 
sequence  number.  The  message  "Ai"  is  an  acknowledgment  with  a  receive  sequence 
number  of  i. 
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The  finite  state  machines  for  the  Sender,  Receiver  and  FAD  of  the  DTE  are  shown 
in  Figures  37,  38  and  39.  The  FSMs  for  the  DCE  are  the  same  except  that  FAD1, 
RECEIVER  1,  and  SENDER  1  must  be  replaced  with  FAD2,  RECEIVER2,  and  SENDER2 
respectively.  Since  no  RR-frames  are  used,  I-frames  can  only  be  acknowledged  by 
receiving  an  N(R)  from  an  incoming  I-frame. 

As  an  example,  suppose  the  DTE  Senderl  has  3  data  blocks  to  send.  It  can  go 
from  state  1  to  state  2,  sending  "DO,"  and  then  to  state  3,  sending  the  second  block  as  "Dl." 
At  this  point,  2  data  blocks  are  outstanding,  so  it  must  wait  for  an  acknowledgment  of  at 
least  one  of  them  before  sending  the  third. 

The  DTE  FAD1  process,  initially  in  state  1,  will  receive  the  DO  from  Senderl  and 
enter  state  2.  It  then  sends  an  "enquiry"  to  the  Receiverl  to  get  the  latest  acknowledgment, 
an  N(R),  for  the  data  blocks  received  from  the  DCE. 

Since  no  data  blocks  have  been  received  by  the  DTE  yet,  Receiverl  will  respond 
with  an  "AO."  FAD1  will  receive  the  AO,  and  will  transition  from  state  8  to  1 1.  The  FAD1 
will  then  return  to  state  1  sending  the  I-frame  "100."  Similarly,  the  FAD1  will  receive  the 
second  data  block,  Dl,  and  transmit  it  as  "110"  after  combining  with  "AO." 

FAD2  will  receive  the  "100"  frame  first,  entering  state  20.  It  then  splits  this  I- 
frame  and  sends  the  "DO"  to  Receiver2,  and  "A0"  to  Sender2. 

Sender2  is  in  state  1,  and  simply  discards  this  "A0."  Receiver2  is  in  state  1, 
accepts  the  "DO"  data  block  and  transitions  to  state  2. 

Similarly,  The  DCE  FAD2  process  receives  the  "110"  message,  and  sends  the 
"Dl"  to  Receiver  2,  and  "A0"  to  Sender  2.  Sender  2  will  discard  the  "A0",  remaining  in 
state  1,  and  Receiver  2  will  receive  "Dl,"  transitioning  to  state  3. 

Suppose  at  this  point  a  user  data  block  becomes  available  to  send  at  the  DCE.  It 
will  send  an  "102"  frame  across  the  data  link  to  the  DTE;  and  upon  receiving  the  102,  the 
DTE  will  now  be  able  to  send  the  third  user  data  block. 
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For  the  automated  analysis  of  the  protocol,  the  FSMs  in  Figures  37, 38,  and  39  are 
converted  to  a  text  file  and  entered  into  the  program  as  shown  in  Appendix  A.  The 
transition  names  in  this  text  file  are  the  same  as  in  the  FSM  diagrams,  such  as  "+I00", 
"+D0"  etc.  In  order  to  save  memory  and  generate  a  larger  number  of  states  in  the  analysis, 
the  transition  names  can  be  abbreviated  to  single  characters  at  the  time  of  the  analysis  as 
shown  below: 


D0->X 

100 ->1 

Dl  ->Y 

101  ->  2 

D2->Z 

102  ->  3 

A0->A 

I10->4 

Al  ->B 

111  ->5 

A2->C 

112  ->6 

ENQ->Q 

120  ->  7 

121  ->8 

122  ->  9 

The  amount  of  memory  available  and  the  CPU  time  are  always  a  concern  for  a  full 
reachability  analysis.  The  program  output  for  the  analysis  is  partially  given  in  Appendix  A. 
Because  of  the  size  of  the  analysis,  only  a  very  small  portion  of  the  reachable  states  are 
included  in  the  output.  The  total  number  of  global  states  generated  for  the  information 
phase  was  73391.  There  were  no  unspecified  receptions,  unexecuted  transitions,  and 
channel  overflows.  The  maximum  channel  length  was  6.  A  deadlock  condition  was  found 
at  state  17034  where  all  the  channels  were  empty  and  Senderl,  Receiver  1,  FAD1,  FAD2, 
Sender2,  Receiver2  were  in  states  3,  3,  1,  1,  3,  3  respectively.  This  state  deadlock  is 
expected  since  RR-frames  are  not  included  in  the  analysis.  A  more  detailed  explanation 
including  the  RR-frames  in  the  protocol  is  given  in  [Ref.  14].  The  reader  may  note  that  the 
results  of  the  analysis  exactly  match  with  the  results  reported  in  Reference  14.  The 
deadlock  state  found  in  Reference  14  was  67699,  which  was  recorded  at  state  17034  in  this 
analysis.  However,  the  global  states  are  the  same  for  both  analyses.  The  Simple  Mushroom 
program  uses  a  Breadth- First  Search  algorithm  for  choosing  the  states  from  the  work  set 
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(i.e,  global  states  that  are  generated,  but  have  not  been  analyzed  yet).  The  protocol  verifier 
PROVE,  used  in  Reference  14  might  be  using  a  Depth  First  Search  approach,  which  would 
result  in  a  different  global  state  number. 

The  protocol,  including  the  RR-frames,  was  also  entered  into  the  program,  but  the 
program  could  not  complete  the  analysis  due  to  insufficient  computer  memory.  In  this 
analysis,  153565  global  states  were  generated.  No  unspecified  receptions,  deadlocks  or 
channel  overflows  were  recorded  for  the  analyzed  portion  of  the  protocol.  The  maximum 
channel  size  reached  was  4.  The  program  completed  the  analysis  in  1 1  hours  5 1  minutes  on 
a  Sun  SPARC  station. 

B.     SCM  MODEL 

1.     Go  Back  N 

The  first  protocol  selected  for  analysis  using  the  Big  Mushroom  and  Smart 
Mushroom  programs  is  a  1-way  data  transfer  protocol  with  a  variable  window  size,  which 
is  essentially  a  subset  of  the  High-level  Data  Link  Control  (HDLC)  class  of  protocols.  This 
protocol  is  modeled  and  analyzed  with  the  SCM  model  in  [Ref.  1].  The  same  specification 
will  be  used  here  and  an  automated  analysis  will  be  described  using  the  programs 
developed  for  a  window  size  of  10.  The  specification  is  summarized  below: 

There  are  two  machines  in  the  system,  a  sender  (mj)  and  a  receiver  (rri2).  The 
sender  sends  data  blocks  to  the  receiver,  which  are  numbered  sequentially,  0,  1,...,  w,  0,  1, 
...  for  a  window  size  of  w.  As  in  HDLC,  the  maximum  number  of  data  blocks  which  can  be 
sent  without  receiving  an  acknowledgment  is  w,  the  window  size.  The  receiver,  m2, 
receives  the  data  blocks  and  acknowledges  them  by  sending  the  sequence  number  of  the 
next  data  block  expected  (which  is  stored  in  local  variable  exp).  The  shared  variables 
DATA  and  SEQ  are  used  to  pass  messages  from  sender  to  receiver,  and  the  shared  variable 
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ACK  is  used  to  pass  acknowledgments  back  to  the  sender.  The  receiver  may  acknowledge 
any  number  of  blocks  received  up  to  the  window  size.  Upon  receiving  the 
acknowledgment,  the  sender  must  be  able  to  deduce  how  many  data  blocks  are  being 
acknowledged.  This  is  done  by  observing  the  difference  between  the  values  of  the  received 
acknowledgment  and  the  sequence  number  of  the  last  data  block  sent. 

The  general  specification  of  the  protocol  is  given  in  Figure  40  and  in  Table  4. 
Initially,  both  sender  and  receiver  are  in  state  0,  arrays  DATA  and  SEQ  are  empty,  and 
ACK  is  empty.  The  domains  of  DATA,  Rdata  and  Sdata  are  not  specified;  these  are  used 
to  hold  user  data  blocks.  Sdata  and  Rdata  are  the  interface  or  access  points  of  the  higher 
layer  (user)  protocol.  The  local  variables  for  the  sender  are  Sdata,  used  to  store  data  blocks, 
seq,  used  to  store  the  sequence  number  of  the  next  data  block  to  be  sent  out,  and  i,  used  as 
an  index  into  the  DATA  and  SEQ  arrays.  Initially  seq  is  set  to  0,  and  /'  is  set  to  1.  The  local 
variables  of  the  receiver  are  Rdata,  exp,  andy.  Rdata  is  used  to  receive  and  store  incoming 
data  blocks,  exp  to  hold  the  expected  sequence  number  of  the  next  incoming  data  block,  and 
j  is  an  index  into  the  shared  arrays  DATA  and  SEQ. 

The  states  of  both  sender  and  receiver  are  numbered  0,  1, ...,  w,  and  each  state  has 
an  easily  recognized  intuitive  meaning.  If  the  sender  is  in  state  0,  then  all  data  blocks  sent 
to  date  have  been  received  by  the  receiver,  so  a  full  window  size  of  w  data  blocks  may  be 
sent  without  waiting  for  an  acknowledgment.  If  ntj  is  in  state  w,  then  a  full  window  of 

blocks  have  been  sent,  so  the  sender  can  only  wait  for  the  acknowledgment  from  the 
receiver. 

If  the  receiver,  rri2,  is  in  state  0,  then  all  received  data  blocks  have  been 
acknowledged.  If  in  state  w,  then  a  full  window  of  data  blocks  have  been  received,  but  not 
acknowledged.  Whenever  the  receiver  sends  an  acknowledgment,  all  data  blocks  received 
up  to  that  point  are  acknowledged. 


61 


DATA      SEQ 


w 


+A©    f  +A 


w-1 


• 

• 

ACK 

1      2 


w 


Sdata : 


Rdata: 


seq  :  (0  , 1 ,  2  , . . . ,  w) 

i :  ( 1 , 2 , . . . ,  w) 


exp  :  (0 , 1 , 2 , . . . ,  w) 
j  :(l,2,...,w) 


Figure  40:  State  machines  and  variables  for  Go  Back  N 


TABLE  4:  PREDICATE- ACTION  TABLE  FOR  GO  BACK  N 


Transition 

Enabling  Predicate 

Action 

-D 

DATA(i)  =  e  a  SEQ(i)  =  e 

DATA(i)  <-  Sdata(i) 
SEQ(i)  <-  se? 
wc(i,  s«7) 

+Ak 
(0<k<w) 

ACK  0  k  =  seq  a  ACK  *  e 
(next  state  :  k) 

ACK<-£ 

+D 

DATA(/')  *  e  a  SEQ(/)  =  exp 

Rdata  <-  DATA(/) 
DATA(/),  SEQ(/)  <-  e 
mc  (/',  exp) 

-A 

DATA(/)  =  e 

ACK  <-  exp 
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The  enabling  predicate  and  action  for  each  transition  are  shown  in  Table  4.  The 
label  or  transition  name  is  the  leftmost  column,  the  enabling  predicate  in  the  middle,  and 
the  corresponding  action  on  the  right.  There  are  four  basic  types  of  transitions.  In  the 
sender,  mj,  the  -D  transition  transmits  a  data  block  by  placing  it  into  the  shared  variable 
DATA(j'),  and  the  sequence  number  into  SEQ(/).  The  send  is  enabled  whenever  those 
variables  are  empty.  (The  interaction  between  the  sender  and  the  user,  or  higher  layer,  is 
implicit,  and  not  specified  here).  The  inc  operation  increments  its  arguments,  if  less  than 
their  maximum  value,  in  which  case  it  resets  them  to  the  minimum  value.  The  operator  ® 
represents  the  inc  operation  repeated  k  times,  if  the  argument  is  k  and  the  symbol  £  denotes 
the  empty  value.  The  receive  transition  in  the  receiver,  rri2,  is  enabled  whenever  a  data  block 

of  the  appropriate  sequence  number  is  in  the/'th  element  of  DATA  and  SEQ.  An 
acknowledgment  may  be  sent  by  mi  in  any  state  except  0,  in  which  case  no  unacknowledged 

data  blocks  have  been  received. 

The  remaining  transition  is  the  +Aic  receive  acknowledgment,  in  mj.  If  mj  is  in 

state  u,  1  <  u  <  w,  and  there  is  a  nonempty  value  in  shared  variable  ACK,  then  exactly  one 
of  the  transitions  +Aq,  +Aj,  ...,  +Aw.j  will  be  enabled;  it  will  be  that  A^  such  that  the 

predicate  ACK®/:  =  seq  is  true,  and  the  next  state  is  k.  [Ref.  1] 

For  analyzing  this  protocol  using  the  Big  Mushroom  and  Smart  Mushroom 
programs,  the  inputs  to  the  program  must  be  completed.  These  consist  of  a  text  file 
description  of  FSMs,  the  package,  definitions,  which  include  the  variables  of  the  protocol, 
and  the  subprograms  Analyze  Predicates  Machines  and  Action,  which  define  the 
predicate-action  table.  Also  an  OutputGtuple  procedure,  which  defines  the  output  format 
for  the  global  tuples,  must  be  entered.  Completed  packages/procedures  for  a  window  size 
of  10  are  given  in  Appendix  B. 

The  same  names  are  used  for  local  and  shared  variables  in  the  package  definitions 
as  in  the  predicate-action  table.  Variables  DATA,  ACK  and  Sdata  are  declared  as  one 
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dimensional  arrays  of  size  10,  which  is  the  window  size.  Local  variables  seq  and  exp  and 
index  numbers  i  andy  are  declared  as  integers  in  the  range  0  to  10.  Global  variable  ACK  is 
declared  as  integer  in  the  range  -1  to  10,  where  -1  represents  e  value  in  the  predicate-action 
table.  An  enumeration  type,  buffer  type,  is  declared  for  storing  the  data  passed  by  the  upper 
layer  to  local  variable  Sdata.  Data  are  declared  as  dO,  dl, ..,  d9,e,  where  e  represents  the  e 
value.  Transition  names  in  the  specification  are  defined  as  snddata,  rcvdata,  snd_ack, 
rcvacki  for  -D,  +D,  -A,  and  +At  in  predicate-action  table  respectively. 

Actions  and  predicates  are  also  translated  to  Ada  statements  in  the  subprograms 
Analyze  predicates  Machines  and  Action.  For  each  state  in  both  machines  there  is  a 
"when"  statement.  The  predicates  for  the  outgoing  transitions  from  that  state  are  translated 
to  Ada  with  "if  conditional  statements.  Actions  in  the  predicate-action  table  are  converted 
to  Ada  statements  with  "when"  statements  (see  Appendix  B). 

The  program  generated  286  system  states  and  31,460  global  states,  which  are 
identical  with  the  results  obtained  by  the  formulas  given  in  [Ref.  1].  The  protocol  is  free 
from  deadlocks  and  there  are  no  unexecuted  transitions.  The  difference  between  the 
number  of  system  and  global  states  shows  the  power  of  the  system  state  analysis  which 
reduced  the  number  of  states  in  the  reachability  graph  exponentially.  However,  without  the 
Smart  Mushroom  program,  the  system  state  analysis  would  be  cumbersome  to  do  manually, 
and  the  global  reachability  analysis  would  be  infeasible. 

2.     Token  Bus 

Another  example  of  the  program  application,  the  token  bus  specification  in  [Ref. 
15]  will  be  used.  The  specification  is  a  simplified  one.  It  assumes  that  the  transmission 
medium  is  error  free  and  all  transmitted  messages  are  received  undamaged.  Both  the  system 
state  analysis  and  global  analysis  are  generated  from  this  token  bus  specification  for  a 
protocol  consisting  of  8  machines. 
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The  specification  of  this  simplified  protocol  is  given  in  Figure  41  and  Table  5.  The 
FSM  diagram  and  the  local  variables  are  the  same  for  each  machine,  where  the  transition 
names:  ready,  rev,  pass,  get-tk,  pass-tk,  Xmit,  and  moreD  are  appended  with  the 
corresponding  machine  number  to  the  end  for  each  machine  in  the  specification.  For 
example,  transitions  for  machine  7  are  named  as  ready7,  rcv7,  pass7,  etc.  This  makes  it 
easier  to  follow  the  reachability  graphs.  The  remainder  of  the  protocol  specification  as 
described  in  Reference  15  is  as  follows:  The  shared  variable,  MEDIUM,  is  used  to  model 
the  bus,  which  is  "shared"  by  each  machine.  A  transmission  onto  the  bus  is  modeled  by  a 
write  into  the  shared  variable.  The  fields  of  this  variable  correspond  to  the  parts  of  the 
transmitted  message:  the  first  field,  MEDIUM. T,  takes  the  values  T  or  D,  which  indicate 
whether  the  frame  is  a  token  or  a  data  frame.  The  second  field  contains  the  address  of  the 
station  to  which  the  message  is  transmitted  (DA  for  "destination  address");  the  next  field, 
the  originator  (SA  for  "source  address");  and  finally  the  data  block  itself. 

The  network  stations,  or  machines,  are  defined  by  a  finite  state  machine,  a  set  of 
local  variables,  and  a  predicate-action  table.  The  initial  state  of  each  machine  is  state  0,  and 
the  shared  variable  is  initially  set  to  contain  the  token  with  the  address  of  one  of  the  stations 
in  the  "DA"  field. 

The  value  of  local  variable  next  is  the  address  of  the  next  or  downstream  neighbor, 
and  these  are  initialized  so  that  the  entire  network  forms  a  cycle,  or  logical  ring. 

The  local  variable  i  is  used  to  store  the  station's  own  address.  As  implied  by  the 
names,  the  local  variables  inbuf  and  outbuf  are  used  for  storing  data  blocks  to  be  transmitted 
to  or  retrieved  from  other  machines  on  the  network.  The  latter  of  these,  outbuf,  is  an  array 
and  thus  can  store  a  potentially  large  number  of  data  blocks.  The  local  variable  ctr  serves 
to  count  the  number  of  blocks  sent;  it  is  an  upper  bound  on  the  number  of  blocks  which  can 
be  sent  during  a  single  token  holding  period.  The  local  variable  j  is  an  index  into  the  array 
outbuf. 
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/  DA  SA   data 


MEDIUM 


I  :  ( my  address) 

next  :  (address  of  next  station) 

ctr  :( 1,2,  ...,k+l  ) 

j  :(l,2,...,k) 


t 

DA 

SA 

data 

outbuf  1 

• 

.   .   . 

J 

Figure  41 :  FSM  and  variables  for  the  network  nodes 

The  local  variables,/'  and  ctr  are  initially  set  to  1,  and  inbuf and  outbuf  are  initially 
set  to  empty.  The  shared  variable  MEDIUM  initially  contains  the  token,  with  the  address  of 
the  station  in  the  DA  field.  Thus  the  initial  system  state  tuple  is  (0,0,  ...,  0)  and  the  first 
transition  taken  will  be  get-tk  by  the  station  which  has  its  local  variable  i  equal  to 
MEDIUM.DA. 

Each  machine  has  four  states.  In  the  initial  state,  0,  the  stations  are  waiting  to 
either  receive  a  message  from  another  station,  or  the  token.  If  the  token  appears  in  the 
variable  MEDIUM  with  the  station's  own  address,  the  transition  to  state  2  is  taken.  When 
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taking  the  get-tk  transition,  the  machine  clears  the  communication  medium  and  sets  the 
message  counter  ctr  to  1 .  In  state  2,  the  station  transmits  any  data  blocks  it  has,  moving  to 
state  3,  or  passes  the  token,  returning  to  state  0.  In  state  3,  the  station  will  return  to  state  2 
if  any  additional  blocks  are  to  be  sent,  until  the  maximum  count  k  is  reached.  When  the 
count  is  reached,  or  when  all  the  station's  messages  have  been  sent,  the  station  returns  to 
state  0. 

The  receiving  station,  as  with  all  stations  not  in  possession  of  the  token,  will  be  in 
state  0.  The  message  will  appear  in  MEDIUM,  with  the  receiving  station's  address  in  the 
DA  field.  The  receiving  transition  to  state  1  will  then  be  taken,  the  data  block  copied,  and 
MEDIUM  cleared.  By  clearing  the  medium,  the  receiving  station  enables  the  sending 
station  to  return  to  its  initial  state  (0)  or  to  its  sending  state  (2). 

TABLE  5:  PREDICATE- ACTION  TABLE  FOR  THE  NETWORK  NODES 


Transition 

Enabling  Predicate 

Action 

rev 

MEDIUM. (t,  DA)  =  (  D,  /') 

inbuf<-MEDIUM.(SA,  data) 

ready 

true 

MEDIUM  <-  0 

get-tk 

MEDIUM,  (f,  DA)  =  (T,  i) 

MEDIUM  <-  0;  ctr  <-  1 

pass 

outbuf  [f\  =0 

MEDIUM  <-  (  T,  next,  i,  0) 

Xmit 

outbuf  \j]*0 

MEDIUM*- outbuf  \j]\ 
ctr  ±- ctr®  IJ  <-;'©  1 
outbuf  \J]  *-0 

moreD 

MEDIUM  =  0  a  outbuf  \j]*0 

null 

pass-tk 

MEDIUM  =  0a 
( outbuf '[/]  =0vctr  =  k+l) 

MEDIUM  <-  (  T,  next,  i,  0) 
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The  symbol  "©"  indicates  that  the  variable  should  be  incremented  unless  its 
maximum  value  has  been  reached,  in  which  case  it  should  be  reset  to  the  initial  value.  The 
notation  MEDIUM. (t,  DA)  is  used  to  denote  the  first  two  fields  of  the  variable  MEDIUM. 
For  example,  MEDIUM. (r,  DA)  =  (T,  i)  is  a  boolean  expression  which  is  true  if  and  only  if 
the  first  field  of  MEDIUM  contains  the  value  T,  and  the  second  field  contains  the  value  i. 
Other  notations  in  the  predicate-action  table  such  as  "a",  "v",  "<— "  etc.  are  intuitive. 

The  inputs  to  the  program  for  the  reachability  analysis  of  this  protocol  are  given 
in  Appendix  C.  The  same  names  as  in  the  specification  are  used  for  the  local  and  global 
variables  in  the  package  definitions.  Also,  the  "empty"  value  is  represented  by  "E"  and  the 
data  are  represented  by  "I"  in  this  package.  The  upper  bound  on  the  number  of  data  blocks 
in  the  outbuf  variable  is  set  to  7. 

The  system  state  analysis  alone  did  not  give  a  complete  analysis  due  to  some 
loops  in  the  FSMs  of  the  SCM  specification.  Since  the  system  state  analysis  assumes  that 
two  system  states  are  equivalent  if  both  the  machine  state  tuples  and  the  outgoing 
transitions  are  the  same,  this  can  cause  the  system  state  analysis  to  give  insufficient  results 
in  some  special  cases.  For  example,  incomplete  results  can  arise  when  the  FSMs  of  the 
specification  include  some  loops  that  result  with  the  same  states  and  enabled  transitions 
repeatedly.  In  such  specifications,  some  of  the  transitions  will  stay  unexecuted,  resulting  an 
incomplete  analysis.  This  situation  is  observed  in  this  specification  when  one  of  the 
machines  had  two  or  more  data  blocks  in  its  outbuf  local  variable.  For  instance,  if  machine 
1  has  two  data  blocks  in  its  outbuf  local  variable  waiting  for  transmission  and  it  receives 
the  token  from  MEDIUM,  it  transitions  to  state  2  with  get-tk  and  then  takes  the  Xmit 
transition  to  state  3,  sending  the  first  data  block.  Since  it  has  one  more  data  block  to  send, 
the  next  transition  will  be  moreD,  which  will  take  it  back  to  state  2.  At  this  point  the  system 
state  analysis  will  stop  and  the  reachability  analysis  will  be  incomplete. 
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The  problem  can  be  solved  by  splitting  the  system  state  analysis  into  three  parts. 
First,  the  protocol  can  be  analyzed  with  no  messages  in  the  machines  and  the  behavior  of 
the  machines  including  only  the  transitions  of  the  token  can  be  observed  (transitions  get-tk 
and  pass).  Then,  the  analysis  can  be  performed  with  one  message  in  the  outbuf  local 
variables  of  the  machines,  which  allows  us  to  analyze  the  transitions  for  receiving/ 
transmitting  the  messages  in  addition  to  the  transitions  including  the  token  (get-tk,  Xmit, 
rev,  ready,  pass-tk).  Finally,  the  protocol  can  be  analyzed  with  each  machine  having  more 
than  one  message,  which  includes  the  last  transition  in  the  analysis  (moreD).  Combining 
the  results  of  these  parts  shows  that  the  protocol  is  free  from  deadlocks  and  there  are  no 
unexecuted  transitions. 

The  definitions  packages  and  the  analysis  results  are  given  separately  for  each  of 
the  three  cases  outlined  above  in  Appendix  C.  The  system  state  analysis  generated  16,  40 
and  5  system  states  respectively  for  the  parts  explained  above.  The  global  analysis  has 
generated  263  global  states  and  there  were  no  deadlocks  or  unexecuted  transitions.  The 
global  reachability  analysis  is  also  given  in  Appendix  C. 

The  system  state  analysis  has  reduced  the  number  of  states  from  263  (global)  to 
61  (for  all  three  parts).  This  is  another  example  showing  the  advantage  of  the  system  state 
analysis. 
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VI.  CONCLUSIONS  AND  FURTHER  RESEARCH  POSSIBILITIES 

In  this  thesis,  a  software  tool  has  been  described  which  automates  the  analysis  of 
protocols  specified  by  the  SCM  and  CFSM  models.  The  program  generates  either  the 
system  state  analysis  or  global  reachability  analysis  for  the  SCM  model.  The  program  also 
generates  the  full  reachability  graph  for  a  protocol  specified  by  the  CFSM  model. 

The  major  achievement  of  the  thesis  was  the  increase  in  the  number  of  machines  in  the 
protocol  specification.  The  previous  work  in  [Ref.  8]  was  extended  to  allow  two  to  eight 
machines  in  the  specification.  The  run  time  and  memory  efficiency  of  the  program  were 
improved  to  allow  the  analysis  of  larger  and  more  complex  protocols.  The  user  interface  of 
the  program  has  also  been  improved. 

The  system  state  analysis  reduces  the  size  of  the  state  space  greatly,  but  in  some  cases, 
when  the  system  state  analysis  is  not  sufficient  for  the  protocol  analysis,  the  global 
reachability  analysis  is  required.  The  Smart  Mushroom  program  generates  the  system  state 
graph.  The  Simple  and  Big  Mushroom  programs  are  based  on  exhaustive  analysis,  and 
generate  the  full  global  reachability  graph.  The  main  problem  in  these  programs  is  the 
"state  space  explosion."  As  stated  in  [Ref.  16],  an  estimate  for  the  maximum  size  of  the 

state  space  that  can  be  reached  for  a  full  reachability  analysis  is  about  10  states.  This  is  in 
agreement  with  the  maximum  number  of  states  generated  so  far  using  the  Big  Mushroom 

program  (153565  =  1.53  x  10  states  were  generated  for  the  example  protocol  described  in 
Chapter  V). 

The  size  of  the  state  space  which  can  be  generated  is  directly  proportional  with  the 
memory  available  on  the  computer.  For  a  full  reachability  graph,  an  equation  can  be  derived 
for  determining  the  maximum  number  of  states:  where, 
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M:  Memory  available  on  the  computer  (bytes). 

S:  Amount  of  memory  for  storing  one  system  state  (bytes). 

O:  Overhead  (memory  for  storing  the  program  and  other  data  structures  etc.). 

Then,  the  number  of  states  that  can  be  analyzed  is:  N  =  (M-0)/S.  Usually  O  «  M,  and 
O  can  be  ignored.  For  instance,  for  the  LAP-B  protocol  analysis  described  in  Chapter  V, 
M=80  MBytes,  S  =  516  bytes,  and  N  =  162596.  In  this  analysis,  only  153565  states  were 
generated  by  the  Simple  Mushroom  program.  The  difference  between  these  numbers  is  due 
to  the  exclusion  of  the  overhead  in  the  calculation.  Unfortunately  memory  was  not  enough 
for  a  100%  coverage  in  this  analysis. 

In  spite  of  the  state  space  explosion,  the  programs  developed  in  this  thesis  are  still  very 
helpful  for  analyzing  protocols.  A  full  reachability  analysis  may  be  feasible  by  keeping  the 
protocol  specifications  as  simple  as  possible,  and  using  certain  assumptions  about  the 
behavior  of  the  protocol  to  reduce  the  size  of  the  state  space.  For  example,  the  size  of  the 
message  queue  is  very  important  for  the  CFSM  model.  A  smaller  message  queue  decreases 
S  and  allows  to  analyze  larger  protocols.  A  specification  with  less  number  of  processes 
increases  the  number  of  states  that  can  be  analyzed.  Modeling  the  machines  with  less 
number  of  states  is  also  helpful.  For  the  SCM  model,  N  can  be  increased  by  keeping  the 
size  of  global  and  local  variables  as  small  as  possible.  A  simpler  protocol  specification  also 
reduces  the  run  time. 

But,  in  some  cases,  even  after  some  simplifications,  a  full  reachability  analysis  is 
impossible.  Fortunately,  still  some  solutions  exist  for  the  automated  protocol  analysis.  One 
method  which  is  described  in  [Ref.  16]  is  using  the  supertrace  algorithm.  In  the  Mushroom 
program,  hashing  is  used  to  increase  the  search  efficiency.  In  the  supertrace  algorithm  a 
very  large  hash  size  (almost  the  whole  available  memory)  is  used,  and  system  states  are  not 
stored.  This  method  is  explained  in  [Ref.  16].  For  example,  with  a  10  MB  of  memory,  80 
million  states  can  be  generated  using  this  method  as  described  in  [Ref.  16].  Of  course  this 
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efficiency  does  not  come  free.  Due  to  hash  conflicts,  this  method  cannot  guarantee  100% 
coverage,  but  as  a  partial  search  technique,  this  algorithm  is  very  powerful. 

This  thesis  opens  several  areas  for  further  work.  One  improvement  would  be  to 
increase  the  size  of  the  system  space  that  can  be  analyzed.  Adding  the  supertrace  option  to 
the  Mushroom  program  can  be  a  good  area  for  further  work. 

The  number  of  reachable  states  is  usually  very  large  and  it  would  be  awkward  to  print 
out  or  browse  through  the  listing.  Another  improvement  would  be  to  store  the  reachability 
analysis  results  in  the  form  of  a  database,  and  provide  a  query  language  that  allows  the  user 
to  easily  analyze  the  results  of  the  analysis  as  suggested  in  [Ref.  17]  (for  instance,  querying 
the  error  sequences  and  certain  paths  between  any  two  states  etc.). 

Finally,  another  research  possibility  would  be  to  add  a  simulator  module  to  the 
Mushroom.  For  protocols  with  a  large  size  of  state  space,  where  full  reachability  analysis 
is  infeasible,  simulation  would  be  useful. 

The  Ada  programming  language  was  used  to  develop  Mushroom.  Also,  specification 
of  the  SCM  model  must  be  entered  to  the  program  using  Ada  subprograms  and  packages. 
Ada  is  a  well-structured  programming  language,  and  supports  the  modular  development  of 
programs.  Also,  exception  handling,  generic  units,  and  tasking  are  important  features  of 
Ada.  These  features  were  helpful  in  developing  the  program.  The  well-structured  property 
of  the  programming  language  makes  the  input  of  the  specification  easier.  The  tasking 
mechanism  of  Ada  would  be  very  helpful  to  develop  a  simulator  module  for  the  program. 

The  Simple  Mushroom  program  is  used  as  a  teaching  aid  in  an  introductory 
communications  network  course  at  Naval  Postgraduate  School.  This  can  be  another  area 
where  student  can  use  the  tool  as  an  aid  in  learning  the  protocol  design  and  analysis. 

The  mushroom  program  is  a  tool  which  it  is  hoped  that  it  will  greatly  improve  the 
design  and  analysis  of  protocols  specified  by  the  SCM  and  CFSM  models.  Especially,  this 
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program  may  help  to  solve  some  questions  concerning  the  SCM  model  which  have  not  been 
completely  answered. 


73 


APPENDIX  A  (LAP-B  Protocol  Information  Transfer  Phase) 
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-Dl  3  [3,E,D1,E,E,E,1,E,E,E,E,E,2,E,E,E,E,E,1,E,E,E,E,E,1,E,E,E,E,E,1,E,E,E,E,E]  9 

-ENQ  2  |2,E,E,E,E,E,1,E,E,E,E,E,8,E,ENQ  ,E,E,E,  1,E,E,E,E,E,  1,E,E,E,E,E,  1,E,E,E,E,E]  11 

-DO  4  |2,E,E,E,E,E,l,E,E,E,E,E,2,E,E,E,E,E,l,E,E,E,E,E,2,E,E,E,DO,E,l,E,E,E,E,E]  12 
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17034  [  3,E,E,E,E,E,3,E,E,E,E,E,  1,E,E,E,E,E,  1,E,E,E,E,E,  3,E,E,E,E,E,  3,E,E,E,E,E] 

**DKADL<K  Kcondllion******* •• 

17035  [  6,E,E,E,E,E,3,E,E,E,E,E,30,E,E,  111  I21,E,E,  1,E,E,E,E,E,3,E,E,E,E,E,  2,E,E,E,E,E] 

-Al  1  [6,E,E,E,E;E,3,E,E,E,E,E,M1,E,I11I21,E,E,1,E,E,E,E,E,3,E,E,E,E,E,2,E,E,E,E,E]       17034 


73391. . . 

SUMMARY  OF  RF.ACHABHTY  ANALYSIS  ANALYSIS  COMPLETED! 

Total  number  of  states  generated  :  73391 
Number  of  states  analyzed  :  73391 
number  of  deadlocks  :  1 
number  of  unspecified  receptions  :  0 
maximum  message  queue  size  :  6 
channel  overflow :  NONE 

UNEXECUTED  TRANSITIONS 
•••♦NONE**** 
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Variable  Definitions 

with  TEXT_IO;  use  TEXT_IO; 
package  definitions  is 

num_of_machine«  :  constant  :■  2; 

type  »cm_tr*n»ition_typ«  is 
(»nd_d«ta, rcv_data, rcv_ack0, rcv_ackl, rcv_ack2 ,  rcv_*cJc3 , rcv_ack4 , 

rcv_ack5,  rcv_ack6,  rcv_ack7 , rcv_ack8 ,  rcv_ack9,  sndack,  unused)  ; 

type  buff er_t ype    is  (dO, dl, d2, d3, d4,  d5,  d6,  d7, d8, d9, •) ; 

package  buf f_enum_io  is  new  enumerat ion_io  (buffer_type) ; 

us*  buf f_enum_io; 

type  buffer_array_type  is  array  (1.  ,10)  of  buffer_type, 

type  seq_*rray_type  is  array (1.. 10)  of  integer  ranga  -1..10; 

typa  machine l_«tate_t ype  is 
racord 

Sdata  :buffar_array_typa  :■  (d0,dl,d2,d3,d4,d5,d6,d7,d8,d9)  ; 

saq    :  intagar  ranga  0 . . 10  :«  0 ; 

i      : intagar  ranga  1..10  :■  1; 
and  record; 

type  duimny_type  is  ranga  1..255; 

type  machine2_state_type  is 
racord 

Rdata:buffar_typa  :=  a; 
axp    : intagar  ranga  0..10  :=  0; 
j     : intagar  ranga  1..10  :=  1; 
and  record; 

type  machine3_state_type  is 
racord 

dummy  :  dummy _t  ype ; 
and  record; 

type  machina4_stata_typa  is 
racord 

dummy  :  dummy _ t ype ; 
and  record; 

type  machina5_stata_type  is 
racord 

dunmy  :  dummy_typa; 
and  racord; 

type  machine6_state_type  is 
racord 

dummy  :  dummy_typ* ; 
and  record; 

type  machine 7_«t*te_type  is 
racord 

dummy  :  dummy_type; 
and  record ; 

type  machine8_state_type  is 
racord 

dummy  :  dummy _t  ype ; 
and  racord; 

type  global_variable_type  is 
racord 

DATA  :  buf fer_array_type    :=  (e,e,e,e,e,e,e,e,e,e); 

SEQ    :  sa<5_array_type       :=  (-1,-1,-1,-1,-1,-1,-1,-1,-1,-1) 

ACK    :  integer  range  -1..10  :=  -1; 
and  record. 

and  definitions; 
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Predicate-action  Table 


aaparata    (sain) 

procadura     Analy«a_Pradicataa_Machinal (local    :   — ehi nal_atata_typa ; 

GLOBAL:    global_rariabla_typa; 

a    :    natural ; 

w  : in  out  transit ion_atack_packaga. at ack)  li 
:-  GLOBAL  ACK  ♦  0; 
:-  (GLOBAL. ACK  +  1)  mod  11; 
:-  (GLOBAL. ACK  +  2)  mod  11; 
:-  (GLOBAL. ACK  +  3)  mod  11; 
:-  (GLOBAL. ACK  +  4)  mod  11; 
:-  (GLOBAL. ACK  +  5)  mod  11; 
:-  (GLOBAL. ACK  +  6)  mod  11; 
:-  (GLOBAL. ACK  -I-  7)  mod  11; 
:-  (GLOBAL. ACK  +  8)  mod  11; 
:-    (GLOBAL. ACK   +    »)    mod   11; 


tampl 

intagar 

taap2 

intagar 

tamp3 

intagar 

tamp4 

intagar 

t«mp5 

lntagar 

tamp6 

lntagar 

taap7 

lntagar 

tampS 

lntagar 

tamp9 

lntagar 

tamplO 

lntagar 

bagin 

eaaa  a   ia 
whan  0   •> 

if     ((GLOBAL. DATA (local. i)    - 

Puah (w, and_data) ; 
and  if; 
whan   1    »> 

if     ((GLOBAL.  DATA  (local,  i)    - 

Puah  (w,  and_data)  ; 
and  if; 


K)    and    (GLOBAL. 8KQ (local .i)    -    -1))    than 


K)    and    (GLOBAL. SEQ (local .i) 


-1))    than 


if    ((tampl    -   local. aaq)    and 

Puah  (w,  rev   ackO)  ; 
and  if; 
whan   2    ■»> 

if    ((GLOBAL. DATA (local. i)    - 

Puah  (w,  and_data)  ; 
and  if; 


(GLOBAL. ACK   /-   -1) )    than 


K)    and    (GLOBAL. SKQ (local .i)    -   -1))    than 


if  ((tampl  •  local. aaq)  and 

Puah (w, rcv_ack0) ; 
and  if; 
if  ( (tamp2  -  local. aaq)  and 

Puah  (w,  rer  ackl)  ; 
and  if; 
whan  3  -> 

if  (  (GLOBAL. DATA(local.i)  - 

Puah  (w,  and_data)  ; 
and  if; 


(GLOBAL. ACK  /- 
(GLOBAL. ACK  /- 


-1)  )  than 
-1))  than 


K)  and  (GLOBAL. SEQ (local .i)  -  -1))  than 


if  ((tampl  •  local. aaq)  and 

Puah  (w,  rcv_ack0)  ; 
and  if; 
if  ( (tamp2  •  local. aaq)  and 

Puah  (w,  rcr_ackl)  ; 
and  if; 
if  ( (tampS  -  local. aaq)  and 

Puah(w,rcr_ack2) ; 
and  if; 
whan  4  -> 

if  ( (GLOBAL. DATA(local.i)  - 

Puah (w, and_data)  ; 
and  if; 


(GLOBAL. ACK  /- 
(GLOBAL. ACK  /- 
(GLOBAL. ACK  /- 


-1))  than 
-1))  than 
-1))  than 


E)  and  (GLOBAL. SEQ (local .i) 


-1))  than 


if  ((tampl  -  local. aaq)  and  (GLOBAL. ACK  /-  -1))  than 

Puah (w, rcv_ack0) ; 
and  if; 

if  ((tamp2  -  local. aaq)  and  (GLOBAL. ACK  /-  -1))  than 

Puah (w, rev  ackl); 
and  if; 


83 


if    (  (t*mp3    -   local. aaq 
Fuah (w, rcr_ack2) ; 

»nd  if; 

Lf  ((taap4  -  local. Mq 
Puah (w, rcr_ack3) ; 

»nd  if; 
whan  5  -> 

Lf  (  (GLOBAL. DATAflocal 
Puah (w, and_data) ; 

>nd  if; 

f  ((taapl  -  local. aaq 

Puah (w, rer_ackO) ; 

nd  if; 

f  ((taap2  -  local. aaq 

Puah (w, rcr_ackl) ; 

nd  if; 

f  ((taap3  -  local. aaq 

Puah  (w, rcr_ack2) ; 

nd  if; 

f  ( (t«aqp4  ■  local. aaq 

Puah (w, rer  ack3) ; 

nd  if; 

f  (  (ta«p5  -  local. aaq 
Puah (w  rcr_ack4) ; 
nd  if; 
whan  6  •> 

f  ((GLOBAL. DATA (local 
Puah (w, and_data) ; 
nd  if; 

f  ((taapl  »  local. aaq 

Puah (w, rcv_ackO) ; 

nd  if; 

f  (  (taap2  -  local. aaq 

Puah (w, rcv_ackl)  ; 

nd  if; 

f  ( (taap3  -  local. aaq 

Puah  (w,  rcv_ack2)  ; 

nd  if; 

f  (  (t«mp4  m   local . aaq 

Puah (w, rcv_ack3)  ; 

nd  if; 

f  (  (taap5  -  local. aaq 
Puah  (w,  rcr_ack4) ; 
nd  if ; 

f  ( (tanp6  -  local. aaq 
Puah (w, rcr_ack5) ; 
nd  if; 
whan  7  -> 

f  ((GLOBAL. DATA  (local 
Puah (w, and_data)  ; 
nd  lf; 

f  (  (tampl  -  local . aaq 

Puah (w, rcr_ackO) ; 

nd  if; 

f  (  (t«ap2  -  local . aaq 

Puah(w,rcv_ackl) ; 

nd  if; 

f  (  (taap3  -  local. aaq 

Puah  (w, rcv_ack2)  ; 
nd  if; 
f  (  (taap4  -  local. aaq 

Puah (w, rcr_ack3)  ; 
nd  if; 

Lf  ( (tampS  -  local. aaq 
Puah (w , rcv_ack4) ; 

tnd  if; 

Lf  ( (taap6  ~  local. aaq 
Puah (w, rcv_ack5) ; 

»nd  if; 

Lf    ( (tamp 7   -   local. aaq 
Puah (w, rcr_ack6) ; 

*nd  if; 
whan  8  -> 


and  (GLOBAL. ACK  /-  -1))  than 

and  (GLOBAL. ACK  /-  -1))  than 

i)  -  B)  and  (GLOBAL. tCQ (local. i)  -  -1))  than 

and  (GLOBAL. ACK  /-  -1))  than 

and  (GLOBAL. ACK  /■  -1))  than 

and  (GLOBAL. ACK  /-  -1))  than 

and  (GLOBAL. ACK  /■  -1))  than 

and  (GLOBAL. ACK  /-  -1))  than 

i)  -  K)  and  (GLOBAL.  8EQ (local,  i)  -  -1))  than 

and  (GLOBAL. ACK  /-  -1))  than 

and  (GLOBAL. ACK  /-  -1))  than 

and  (GLOBAL. ACK  /-  -1))  than 

and  (GLOBAL. ACK  /-  -1))  than 

and  (GLOBAL. ACK  /-  -1))  than 

and  (GLOBAL. ACK  /-  -1))  than 

i)  -  B)  and  (GLOBAL. SEQ (local. i)  -  -1))  than 

and  (GLOBAL. ACK  /-   -1))    than 

and  (GLOBAL. ACK  /-   -1))    than 

and  (GLOBAL. ACK   /-   -1))    than 

and  (GLOBAL. ACK   /-    -1))    than 

and  (GLOBAL. ACK   /-    -1))    than 

and  (GLOBAL. ACK   /-    -1))    than 

and  (GLOBAL. ACK  /-  -1))    than 


f    ((GLOBAL. DATA (local. i)    -   B)    and    (GLOBAL. SEQ (local. i)    -    -1) )    than 
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Puah  (w,  »nd_d»t  a)  ; 
and  if; 


if  ((taa^l  " 

Puah (w, rev 
•nd  if; 
if  (<taa«>2  - 

Puah  (w,  rev 
•ad  if; 
if  ((t«p3  - 

Push  (w,  rev 
•nd  if; 
if  <(t«-p4  - 

Puah  (w,  rev 
•nd  if; 

if  ((taapS  - 

Puah  (w,  rev 
•nd  if; 
if  ((taaapC  - 

Pu«h (w, rcr 
•nd  if; 
if  ((t«.p7  - 

Puah  (w,  rev 
•nd  if; 
if  ((taapS  - 

Push  (w,  rev 
•nd  if; 

wh«n  9  -> 
if  ((GLOBAL. 
Puah  (*» .  and 
•nd  if; 

if  ((twopl  - 

Puah  (w,  rev 
•nd  if; 
if  ((t«mp2  - 

Puah  (w,  rev 
•nd  if; 
if  ((t««p3  - 

Puah  (w,  rev 
•nd  if; 
if  ((taap4  - 

Puah (w,rcv 
•nd  if; 

if  ((top5  - 

Puah  (w,  rev 
•nd  if; 
if  ((tamp*  - 

Puah  (w,  rev 
•nd  if; 
if  <(t«mp7  - 

Puah  (w,  rev 
•nd  if; 
if  ((t«np8  - 

Puah  (w,  rev 
•nd  if; 
if  ((t«np9  - 

Puah  (w,  rev 
•nd  if; 
if  ((t«aplO 

Puah  (w,  rev 
•nd  if; 

wh«n  10  -> 

if  <(t«mpl  - 

Puah  (w,  rev 
•nd  if; 
if  ((t«np2  - 

Puah  (w,  rev 
•nd  if; 
if  ((t«ap3  - 

Puah  (w,  rev 
•nd  if; 
if  ((t*ap4  - 

Puah (w,rev 
•nd  if; 
if  ((t«np5  - 


local. a«q) 
ackO)  ; 

local. a«q) 
aekl) ; 

local . a«q) 
•ek2)  ; 

local . a*q) 
«ck3) ; 


local. aaq) 
ack4)  ; 

local. a«q) 

•  ck5)  ; 

local. a*q) 
aekC)  ; 

local. a«q) 
•ck7) ; 


and  (GLOBAL. ACK  /•  -1 

and  (GLOBAL. ACK  /»  -1 

and  (GLOBAL. ACK  /-  -1 

and  (GLOBAL. ACK  /-  -1 

•nd  (GLOBAL. ACK  /-  -1 

and  (GLOBAL. ACK  /-  -1 

and  (GLOBAL. ACK  /-  -1 

and  (GLOBAL. ACK  /•  -1 


)> 

than 

)) 

than 

)) 

than 

)) 

than 

)) 

than 

)) 

than 

)) 

than 

)) 

than 

DATA(local.i)  -  B)  and  (GLOBAL, 
data) ; 


local. a«q)  and  (GLOBAL. ACK  /- 
ackO)  ; 

local. aoq)  and  (GLOBAL. ACK  /- 
ackl) ; 

local. aaq)  and  (GLOBAL. ACK  /- 
ack2)  ; 

local. aaq)  and  (GLOBAL. ACK  /- 
ack3)  ; 


local. aaq)  and  (GLOBAL. ACK  /- 
.ack4)  ; 

local. aaq)  and  (GLOBAL. ACK  /- 
.ack5)  ; 

local. aoq)  and  (GLOBAL. ACK  /- 
,ack6)  ; 

local. aaq)  and  (GLOBAL. ACK  /- 
_ack7)  ; 

local. aaq)  and  (GLOBAL. ACK  /- 
_ack8)  ; 

-  local. aaq)  and  (GLOBAL. ACK  /• 
ack9)  ; 


SEQ (local. i)  • 

•  -1))  than 

-1))  than 

-1))  than 

-1))  than 

-1))  than 

-1))  than 

-1))  than 

-1))  than 

-1))  than 

-1))  than 

-1))  than 

local 
ackO) ; 

aaq) 

and 

(GLOBAL 

ACK 

/- 

-1 

) 

than 

local 
ackl)  ; 

aaq) 

and 

(GLOBAL 

ACK 

/- 

-1 

) 

than 

local 
ack2) ; 

aaq) 

and 

(GLOBAL 

ACK 

/- 

-1 

) 

than 

local 
ack3)  ; 

aaq) 

and 

(GLOBAL 

ACK 

/- 

-1 

) 

than 

local 

aaq) 

and 

(GLOBAL 

.ACK 

/- 

-1 

) 

than 
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Puah (w, rcr_ack4)  ; 
•nd  if; 
if  ((teap6  -  local. nq)  and  (GLOBAL. ACK  /-  -1))  than 

Puah (w, rar_ack5) ; 
•nd  if; 
if  ((fmpl   -  local,  aeq)  and  (GLOBAL. ACK  /-  -1))  than 

Puah (w, rcw_ack<)  ; 
•nd  if; 
if  ((taapS  -  local.  aeq,)  and  (GLOBAL. ACK  /-  -1))  than 

Puah (w, rcr_ack7) ; 
•nd  If; 
if  ((te«p9  -  local. a«q)  and  (GLOBAL. ACK  /-  -1))  than 

Puah (w, rcr_ack8) ; 
•nd  if; 
if  ((templO  -  local. a*q)  and  (GLOBAL. ACK  /-  -1))  than 

Puah (w, rcr_ack9)  ; 
•nd  if; 
whan  others  -> 
null; 
•nd  case; 
•nd  Analya«  Predicates  Machinal; 


a«paxat«    (Main) 

procedure  Analys«_Pradicat«a_Machin«2  (local    :   machine2_stat*_type, 

GLOBAL:    global_rariable_type; 
a:    natural; 

w    : in  out  tranaition  atack package. stack)    ia 
begin 

caaa   a    ia 
whan   0      -> 

if    ( (GLOBAL. DATA (local. j)/-E)    and    (GLOBAL. SEQ (local . j)    -   local. exp) )    than 

Puah (w, rcv_data) ; 
•nd  if; 
whan  1|2|3|4|5|6|7|8|9  -> 

if    (GLOBAL. DATA (local. j)»l)    than 

Puah (w, snd_ack) ; 

•nd  if; 

if    ( (GLOBAL. DATA ( local. j)/»I)    and    (GLOBAL. SEQ (local .j)    -   local. asp))    than 

Puah (w, rcv_data) ; 
and  if; 
whan   10  -> 

if    (GLOBAL. DATA (local. j)-I)    than 
Puah(w, and_ack) ; 
and  if; 


whan   others    -> 
null; 
•nd    case; 
and  Analyse_Predicatea_Machine2; 


separate  (main) 

procedure  Analyie_Predicates_Machine3 (local  :  Bachine3_state_type; 

GLOBAL:  global_variable_type; 

a  :  natural ; 

w  :  in  out  transition_stack_package. stack)  ii 


begin 

null; 
and  Analyse  Pradicatas  Machine3; 


saparata    (am  in) 

prooadur*  Analyia_Pradicatas_Machina4  (local    :    machine4_state_type; 

GLOBAL:    global_Tariable_type; 

s    :    natural ; 

w   :    in  out  tranaition_stack_packaga. stack)    ii 


begin 

null; 
and  Analy>e_Predicates_Machine4; 


saparata    (main) 

procedur*  Analyse_Predicatea_Machine5 (local    :    machine5_atate_type; 

GLOBAL:    global_variable_type; 


s    :    natural ; 

w    :    in  out   transition_stack_packaga. stack)    ii 


bagin 

null; 
and  Analyse_Predicates_Machine5; 
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••parat*    (sain) 

procadura  Analysa_Pradieataa_Machina6 (local    :   —chi na6_atata_typa; 

GLOBAL:  global_-ariabla_typa; 

•  :  natural ; 

w   :    in  out  tranaltlon_atack_paohaga . atack)    la 

bagln 

null; 
•nd  AnalyBa_Pradicataa_Machina6; 

••parat*    (main) 

procadura  Analyia_Pradicataa_Machina7 (local    :   a_china7_atata_typa; 

GLOBAL:    global_-ariabla_typa; 


natural ; 
In  out 


tranaition_atack_packaga. atack)    ia 

begin 

null; 
•nd  Analyia_Pradicataa_Machina7; 


••parat*    (sain) 

procadura  Analysa_Pradicataa_llachina8  (local    :   —chi na8_atata_typa; 

GLOBAL:    global_—ariabla_typa; 

a    :    natural ; 

w    :    in   out   tranaition_atack_packag*. atack)    ii 


bagin 

null; 
•nd  Analyia_Pradicataa_Machina8  ; 


■•parat*    (aain) 

procadura  Action (in_ayatam_atata  :  in  out   Gatat*_racord_typa ; 

in_tranaition  :  in  out    acm_tranaition_typa; 

out_ayataa_atata  :  in  out  Gatat*_racord_typa)    ia 

bagln 

caaa    (in_tranaition)    ia 
whan  and_data  -> 

out_ayatam_atata . GLOBAL  VARIABLES . DATA (ln_ayat*m_at  at  * . machln*l_atata . 1 )     :- 
in   ayatam_atata.machinal_atata.Sdata (in_ayatam_atata. machinal    atata.i); 
outayatamatat* .  GLOBAL_VARIABLES .  8IQ  ( in_ayatam_atata .  aachinal_atata .  i  )     :  - 

in_ayatam_atata  .machi  nal_atata . aaq; 
out    ayata__atata.machinal_atata.i    :«    (in_ayatam_atata.machinal_atata.i   mod    10)    +   1; 
out~ayataB_atata.atachinal_atata.aaq    :■    ( (  (in_ayatam_atata.machinal_atata.  aaq)    +    l)mod   11); 

whan  rcr_ackO    |    rcv_ackl    |    re— _ack2    |    rev _ack3    |    re— _ack« 

|    rcv_ack5    |rc- _ack6    |    rcv_ack7    |rcv_ack8|r<— _ack9  »> 

out_ayatam_atata.GLOBAL_VARIABLES.ACK    :-  -1; 

whan   and_ack   -> 

out_ayatam_atata.GLOBAL_VARXABLES.ACK    :-   in_ayatam_atata._achina2_atata.axp; 
out_ayatam _atata.machina2_atata.Rdata    :•  a; 

whan   rcv_data   -> 

out_ayatam  atata.machina2_atata.Rdata      :- 

in~ayata__atata .  GLOBAL_VARIABLXS  .  DATA  ( in_ayatam_at  ata  -  — ch  in*2_at  at  *  .  j  ) ; 
out_ayatam_atata.GLOBAL_VARIABLE S.DATA(in_ayatam_atata.machina2_atata.  j)     :-   E; 
out_ayatam_atata.GLOBAL_VARIABLES.SEQ    (in_ayatam_atata.machina2_atata.  j)    :-  -1; 
out_ayatam_atata.machina2_atata.  j         :-    (in_ayatam_atata.a_china2_atata.  j  mod   10)    +   1; 
out_ayatam  atata.machina2_atata.az p   :■    (((in_ayatam_atata.machina2_atata.axp)    +   l)mod  11), 
whan  othara   — > 

put_lin*("Thara   ia   an  arror   in  tha  Action  procadura")  ; 
and   caaa; 
and  Action; 
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Output  Format 


separate  (main) 

procedure  output_Gtuple (tuple  :  in  out  Gstate_record_type)  is 

begin 

if  print_header  than 

new_line(2) ; 

••t_col(7)  ; 

put_line("    ml(aeq, i,Sdata) ,  m2 (exp, j , Rdata) .   (DATA, SEQ, ACK) ") ; 

print_header  :=  falae; 

111! 

put("    ["  t    integer ' image (tuple . machine_atate (1) )  ); 

put("  ,  "); 

put (tuple .machinel_atate , aeq,  width  =>  1); 

put<"  ,  "); 

put (tuple. machine latate.i,  width  ->  1) ; 

put(-  ,  »); 

bu f f _enum_io . put (tuple . machine l_at ate . Sdat  a ( 1 ) , set  »>  upper_c««e ) ; 

put  ("  , "  i   integer ' image (tuple .machine_atate (2) )  ) ; 

put("  ,  "); 

put  (tuple .machine2_state . exp,  width  =>  1) ; 

put("  ,  "); 

put (tuple .  machine2_atate . j,  width  =>  1) ; 

put("  ,  "); 

buf f_enum_io. put (tuple. machine2_atate . Rdata, aet  =>  upper_ca»e) ; 

for  i  in  1 . . 10  loop 

put("  ,  "); 

buf f _enum_io . put (tuple . GLOBAL_VAR I ABLES . DATA ( i ) , aet  =>  upper_case ) 

put (","); 

put (tuple .GLOBAL_VARIABLES . SEQ (i) , width=>l) ; 
end  loop; 
put("  ,  "); 

put (tuple. GLOBAL_VARIABLES.ACK,  width  =>  1) ; 
put("  ]»); 
end  if; 

end  output_Gtuple; 
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Program  Output  (System  State  Analysis) 


REACHABILITY  ANALYSIS  of  :gbn_10.acm 
SPECIFICATION 


I  Machina  1  Stat*  Transition* 

|  From 

To 

Transition 

1   o 

1 

•nd_data 

I    1 

0 

rcv_acJcO 

I    1 

2 

•nd_data 

1    2 

0 

rcv_ackO 

1    2 

1 

rev  ackl 

1    2 

3 

and  data 

1    3 

0 

rcv_ack0 

I    3 

1 

rcv_ackl 

1    3 

2 

rev_ack2 

1    3 

4 

snd_data 

0 

rev  ackO 

1 

rcv_ackl 

2 

rcv_ac)c2 

3 

rcv_ack3 

5 

and  data 

1    5 

0 

rev  ackO 

1    5 

1 

rcv_ackl 

1    5 

2 

rev  ack.2 

1    5 

3 

rcv_ack3 

1    5 

4 

rcv_ack4 

1    5 

6 

and  data 

1    6 

0 

rcv_ack0 

1    6 

1 

rev  ackl 

1    6 

2 

rev  ack2 

1    6 

3 

rcv_ack3 

1    « 

4 

rev  ack4 

1    6 

5 

rcv_ack5 

1    « 

7 

and  data 

1    7 

0 

rev  ackO 

|    7 

1 

rev  ackl 

1    7 

2 

rev  ack2 

1    7 

3 

rcv_ack3 

1    7 

4 

rcv_ack4 

|    7 

5 

rev  ack5 

|    7 

6 

rev  ack6 

|    7 

8 

and_data 

1    8 

0 

rcv_ack0 

1    8 

1 

rev  ackl 

1    8 

2 

rev  ack2 

1    8 

3 

rev  ack3 

1    8 

4 

rev  ack4 

1    8 

5 

rev  ackS 

1    8 

6 

rev  ack6 

1    8 

7 

rev  ack7 

1    8 

9 

and  data 

1    9 

0 

rev  ackO 

1    9 

1 

rev  ackl 

1    9 

2 

rev  ack2 

1    9 

3 

rev  ack.3 

1    9 

4 

rev  ack4 

1    9 

5 

rcy_ack5 

1    9 

6 

rev  ack6 

1    9 

7 

rev  ack7 

1    9 

8 

rev  ack8 

1    9 

10 

and  data 

1    10 

0 

rev  ackO 

1    10 

1 

rev  ackl 

1    10 

2 

rev  ack2 

1    10 

3 

rev  ack3 

1    10 

4 

rev  ack4 

1    10 

5 

rev  ackS 

1    10 

6 

rev  ack6 

1    10 

7 

rev  ack.7 

1    10 

8 

rev  ack.8 

1    10 

9 

rev  ack9 
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I  Ma  chin*  2  Stat*  Transition* 

|  From 

To 

Transition 

1   o 

1 

rev  data 

I    1 

2 

rev  data 

1    1 

0 

snd  tck 

1    2 

3 

rcv_data 

1    2 

0 

and  ack 

1    3 

4 

rcv_data 

|    3 

0 

snd  ack. 

|    4 

5 

rev  data 

|    4 

0 

•nd  ack 

1    5 

6 

rcv_data 

1    5 

0 

snd  ack 

1    6 

7 

rcv_data 

1    6 

0 

snd_ack 

|    7 

8 

rcv_data 

1    "1 

0 

snd_ack 

1    8 

9 

rcv_data 

1    8 

0 

snd_ack 

1    9 

10 

rcv_data 

1    9 

0 

•nd  ack 

1    10 

0 

snd  ack 

REACHABILITY  GRAPH 

0  I 

0, 

0  ] 

0 

snd  data 

1 

1  | 

1, 

o  ; 

0 

and  data 
rcv_data 

2 
3 

2  I 

2, 

o  : 

0 

snd  data 
rev_data 

4 
5 

3  | 

1, 

i  : 

0 

snd  data 
snd  ack 

5 
6 

4  1 

3, 

o  ; 

0 

snd_data 
rcv_data 

7 
8 

5  | 

2, 

i  : 

0 

snd_data 
rev  data 

8 
9 

6  1 

1, 

o  : 

1 

rcv_ack0 

snd_data 

0 
10 

7  | 

4, 

o  ; 

0 

snd  data 
rcv_data 

11 
12 

8  1 

3, 

i  ; 

0 

snd  data 
rev_data 

12 
13 

9 

2, 

2 

0 

snd  data 
snd_ack 

13 
14 

10 

2, 

0 

1  1 

rcv_ackl 
snd  data 
rev  data 

1 
15 
16 

11 

5, 

0 

1  o 

snd  data 
rcv_data 

17 
18 

12 

4, 

1 

1  o 

snd  data 
rcv_data 

18 
19 

13 

3, 

2 

1  o 

snd  data 
rev  data 

19 
20 

14 

2, 

0 

I  2 

rev  ackO 
snd  data 

0 
21 

15 

;  3, 

0 

1  1 

rev  ack2 
snd  data 
rev  data 

2 
22 
23 

16 

[  2, 

1 

)  1 

rcv_ackl 

snd  data 
snd  ack 

3 
23 
14 

17 

[  6, 

0 

)  o 

snd  data 
rev  data 

24 
25 

18 

[  5, 

1 

]  o 

snd  data 
rev  data 

25 
26 

19 

[  4, 

2 

]  o 

snd  data 
rev  data 

26 
27 
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20 
21 

22 

23 

24 
25 
26 
27 
28 
29 

30 

31 

32 

33 

34 

35 
36 
37 
38 
39 

40 

41 

42 

43 

44 

45 
46 

47 
48 
49 


[  3, 

3  ] 

[  3, 

0  ] 

[  4, 

0  ] 

[  3, 

1  ] 

[  7, 

0  ] 

[  6, 

1  ] 

I    5, 

2    ] 

[  4, 

3  ] 

I  3, 

0  ] 

[  4, 

0  ] 

[  3, 

1  ] 

[  5, 

0  ] 

[  4, 

1  ] 

[  3, 

2  ] 

[  8, 

0  ] 

[  7, 

1  ] 

[  6, 

2  ] 

I  5, 

3  ] 

[  4, 

4  ] 

[  4, 

0  ] 

I  5, 

0  ] 

[  4, 

1  ] 

t  6, 

0  ] 

I    5, 

1  ] 

[  4, 

2  ] 

[  9, 

0  ] 

[  8, 

1  ] 

[  7, 

2  ] 

[  6, 

3  ] 

[  5, 

4  ] 

•nd_data 

27 

•nd  ack 

28 

rcv_ackl 

1 

■nd_dat* 

29 

rev_data 

30 

rcv_ack3 

4 

«nd_data 

31 

rcv_data 

32 

rcv_ack2 

5 

•nd  data 

32 

rcv_data 

33 

■nd  data 

34 

rcv_data 

35 

and_data 

35 

rcv_data 

36 

and_data 

36 

rev_data 

37 

and_data 

37 

rev  data 

38 

rcv_ac)c0 

0 

and_data 

39 

rev_ack2 

2 

•nd_data 

40 

rev  data 

41 

rev  ackl 

3 

and  data 

41 

and  aclc 

28 

rcv_ack4 

7 

and  data 

42 

rev_data 

43 

rcv_ack3 

8 

and_data 

43 

rev  data 

44 

rev  ack.2 

9 

and  data 

44 

and  aclc 

28 

and  data 

45 

rev  data 

46 

and  data 

46 

rev  data 

47 

and_data 

47 

rev  data 

48 

and  data 

48 

rev  data 

49 

•nd  data 

49 

•nd  ack 

50 

rev  ackl 

1 

•nd  data 

51 

rev  data 

52 

rev  ack3 

4 

•nd  data 

53 

rcv_data 

54 

rev  ack2 

5 

•nd  data 

54 

rcv_data 

55 

rev  ackS 

11 

•nd  data 

56 

rev  data 

57 

rev  ack 4 

12 

•nd  data 

57 

rev  data 

58 

rcv_ack3 

13 

■nd  data 

58 

rcv_data 

59 

•nd  data 

60 

rev  data 

61 

•nd  data 

61 

rcv_data 

62 

•nd  data 

62 

rcv_data 

63 

•nd  data 

63 

rev  data 

64 

•nd  data 

64 
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rev 

data 

65 

50 

[  4, 

0 

]  4 

rev] 
and 

"ackO 
'data 

0 
66 

51 

[  5, 

0 

1  3 

rev 

•  rid 
rev] 

~ack2 
'data 
'data 

2 
67 
68 

52 

[  4, 

1 

]  3 

rev 

■nd 
•nd 

"ackl 
'data 
"ack 

3 
68 
50 

53 

[  6, 

0 

1  2 

rev 
•nd 
rev 

~ack4 
'data 
'data 

7 
69 
70 

54 

5, 

1 

I  2 

rev] 
■nd] 
rev] 

~ack3 
'data 
'data 

8 
70 
71 

55 

4, 

2 

1  2 

rev 
and 
and] 

"ack2 
'data 
"ack 

9 
71 
50 

56 

7, 

0 

|  1 

rev] 

■  nd 
rev 

~ack6 
'data 
'data 

17 
72 
73 

57 

6, 

1 

|  1 

rev] 
and 
rev 

"ack5 
'data 
data 

18 
73 
74 

58  | 

5, 

2 

1 

rev 
and 
rev" 

ack4 
'data 
'data 

19 
74 
75 

59  | 

4, 

3 

1 

rev 
and] 
and] 

"ack3 
"data 
"ack 

20 
75 
50 

60  | 

10, 

0 

3 

rev 

"data 

76 

61 

9, 

i  ; 

1 

and] 

rev 

"data 
"data 

76 
77 

62  | 

8, 

2  ' 

0 

and_ 
rev 

data 
"data 

77 
78 

63  | 

7, 

3  : 

0 

and 
rev" 

]data 
data 

78 
79 

64  | 

6, 

4  : 

0 

and 
rev 

"data 
"data 

79 
80 

65  | 

5, 

5  : 

0 

and 
and 

"data 
'ack 

80 
81 

66  | 

5, 

o  : 

4 

rev" 

and 
rev" 

"ackl 
"data 
"data 

1 
82 
83 

67  | 

6, 

o  : 

3 

rev 
and 
rev 

]ack3 
data 
"data 

4 
84 
85 

68  | 

5, 

i  : 

3 

rcv_ 
and] 
rev 

"ack2 
"data 
"data 

5 
85 
86 

69  | 

7, 

o  ; 

2 

rcv_ 
and 
rev 

"ack5 
"data 
"data 

11 
87 
88 

70  | 

6, 

i  ; 

2 

rev 
and_ 
rev 

"ack  4 
"data 
"data 

12 
88 
89 

71  I 

5, 

2  : 

2 

rev 
and" 
rev 

"ack3 
]data 
data 

13 
89 
90 

72  | 

8, 

o  ; 

2 

rev 
and 
rev 

"ack7 
"data 
"data 

24 
91 
92 

73  | 

7, 

i  : 

1 

rev 
and 
rev 

~ack6 
"data 
"data 

25 
92 
93 

74  | 

6, 

2  ; 

1 

rev 
and 
rev" 

"ack5 
"data 
]data 

26 
93 
94 

75  | 

5, 

3  ; 

1 

rev 
and" 
rev 

ack  4 
data 
]data 

27 
94 
95 

76  | 

10, 

i  : 

2 

rev 

data 

96 

77  | 

9, 

2  : 

0 

and" 

"data 

96 

92 


rev 

d*t* 

97 

78 

[  8, 

3 

1  o 

■nd 
rev] 

'data 
"data 

97 
98 

79 

[  7, 

4 

I  o 

•  nd 
rev 

"data 
"data 

98 
99 

80 

[  6, 

5 

1  o 

•nd] 
rev" 

'data 
'data 

99 
100 

81 

[   5, 

0 

I  5 

rev] 
•nd] 

"ackO 
'data 

0 
101 

82 

[    «, 

0 

I  4 

rev] 

•  nd 
rev 

"ack2 
'data 
'data 

2 
102 
103 

83 

5, 

1 

I  4 

rev] 
•nd 

•  nd 

"ackl 
'data 
"ack 

3 

103 

81 

84 

7, 

0 

I  3 

rev] 
•nd] 
rev 

~ack4 
'data 
'data 

7 
104 
105 

85 

6, 

1 

1  3 

rev 
■nd] 
rev 

'ack3 
'data 
'data 

8 
105 
106 

86 

5, 

2 

3 

rev 
•nd 

•nd 

~ack2 
'data 
"ack 

9 

106 

81 

87 

8, 

0 

3 

rev 
•nd 
rev 

~*ck6 
'data 
'data 

17 
107 
108 

88 

7, 

i  ; 

2 

rcv_ 
•nd 
rev 

"ack5 
]data 
'data 

18 
108 
109 

89 

6, 

2  . 

2 

rev 
•nd 
rcv_ 

]ack4 
data 
'data 

19 
109 
110 

90  | 

5, 

3  : 

2 

rev 
•nd] 
■nd 

"ack3 
"data 
'ack 

20 

110 

81 

91 

9, 

o  : 

3 

rcv_ 

•  nd 
rev] 

'ack8 
'data 
'data 

34 

111 
112 

92  | 

8, 

i  : 

1 

rcv_ 
■nd 
rev 

"ack7 
'data 
'data 

35 

112 
113 

93  | 

7, 

2  ; 

1 

rcv_ 
■nd 
rcv_ 

'ack6 
]data 
data 

36 

113 
114 

94  | 

6, 

3  : 

1 

rev] 
■nd 
rcv_ 

"ack5 
]data 
data 

37 

114 
115 

95  | 

5, 

4  : 

1 

rev] 

end 
•nd 

'ack4 
'data 
'ack 

38 

115 

81 

96  | 

10, 

2  : 

1 

rev 

'data 

116 

97 

9, 

3  ; 

0 

•  nd 
rev 

'data 
'data 

116 
117 

98  | 

8, 

4  ; 

0 

•  nd 
rcv_ 

"data 
"data 

117 
118 

99  | 

7, 

5  ; 

0 

■nd_ 
rev 

"data 
"data 

118 
119 

100 

6, 

6  : 

0 

■nd 

•  nd 

"data 
"ack 

119 
120 

101  | 

6, 

o  ; 

5 

rev 
■nd 
rev] 

]ackl 
data 
"data 

1 
121 
122 

102 

7, 

o  ; 

4 

rev 
■nd 
rev] 

"ack3 
'data 
"data 

4 

123 
124 

103 

6, 

i  : 

4 

rcv_ 
■nd 

rev 

"ack2 
"data 
'data 

5 
124 
125 

104 

8, 

o  ; 

4 

rev 
■nd_ 
rcv_ 

"ack5 
'data 
'data 

11 
126 
127 

105 

7, 

i  : 

3 

rev 

"ack4 

12 

93 


»nd 

d»t» 

127 

rev 

"d*t* 

128 

106 

6, 

2 

3 

rev] 
•nd 
rcv_ 

"ack3 
'data 
'data 

13 
128 
129 

107 

9, 

0 

4 

rcv_ 

■nd 
rev 

"ack7 
"data 
'data 

24 

130 
131 

108 

8, 

i  : 

2 

rcv_ 
•nd] 
rev 

"ack  6 
'data 
'data 

25 
131 
132 

109 

7, 

2  : 

2 

rev 
•nd' 
rev_ 

"acJcS 
'data 
'data 

26 

132 
133 

110  | 

6, 

3  : 

2 

rev] 
•nd] 
rev 

'ack4 
'data 
'data 

27 
133 
134 

111  | 

10, 

o  : 

4 

rev 
rev_ 

"ack  9 
'data 

45 

135 

112  | 

9, 

i  : 

2 

rev 
•nd] 
rev] 

"ack8 
'data 
'data 

46 

135 
136 

113  | 

8, 

2  : 

1 

rev 
•nd 
rev 

"ack7 
'data 
'data 

47 
136 
137 

114  | 

7, 

3  ; 

1 

rev 
•nd 
rcv_ 

'ack6 
'data 
'data 

48 
137 
138 

115  | 

6, 

4  ; 

1 

rcv_ 

•  nd 
rcv_ 

"ac)c5 
'data 
'data 

49 
138 
139 

116 

10, 

3  • 

0 

rev 

'data 

140 

117 

9, 

4  ; 

0 

•nd 
rev 

'data 
'data 

140 
141 

118 

8, 

5  : 

0 

■nd_ 
rcv_ 

'data 
'data 

141 
142 

119 

7, 

6 

0 

•  nd 
rev 

'data 
"data 

142 
143 

120 

6, 

o  : 

6 

rev 

•nd 

]ack0 
data 

0 
144 

121 

7, 

o  ; 

5 

rcv_ 
•nd 
rev 

"ack2 
'data 
'data 

2 
145 
146 

122 

6, 

i  : 

5 

rev 

•  nd 
•nd 

]ackl 
data 
ack 

3 
146 
120 

123 

8, 

o  ; 

5 

rev 

•nd 
rev 

]ack4 
data 
'data 

7 
147 
148 

124 

7, 

1  ' 

4 

rev 

«nd 
rcv_ 

"ack3 
'data 
'data 

8 
148 
149 

125 

6, 

2  " 

4 

rev 
•nd 
•nd 

"ack2 

]data 
ack 

9 
149 
120 

126 

9, 

0 

5 

rev 
•nd 
rev 

]ack6 
data 
'data 

17 
150 
151 

127 

8, 

1 

3 

rev 
•nd 
rev 

]ack5 
data 
'data 

18 

151 
152 

128 

[  7, 

2 

3 

rev 
and 
rev 

]ack4 
data 
data 

19 
152 

153 

129 

[  «, 

3 

3 

rev 
•nd" 
•nd 

"aek3 

'data 
"ack 

20 
153 
120 

130 

[10, 

0 

1  5 

rev 
rev 

"ack8 
"data 

34 
154 

131 

[  9, 

1 

|  3 

rev 
•nd 
rev 

"ack7 
"data 
"data 

35 

154 
155 

132 

[  8, 

2 

)  2 

rev 

"ack6 

36 

94 


and 

data 

155 

rev 

data 

156 

133 

[  7, 

3 

]  2 

rev" 
•nd] 
rev 

~ack5 
"data 
"data 

37 
156 
157 

134 

[  6, 

4 

)  2 

rev 
and 
•nd 

~ack4 
'data 
"ack 

38 
157 
120 

135 

[10, 

1 

)  3 

rev 
rev] 

"acJt9 
'data 

61 
158 

136 

[  9, 

2 

]  1 

rev 
•nd 
rev] 

~ack8 
'data 
'data 

62 

158 
159 

137 

8, 

3 

|  1 

rev] 
•nd] 
rev] 

"ac)c7 
'data 
'data 

63 
159 
160 

138 

7, 

4 

|  1 

rev] 
and] 
rev] 

"ack  6 
'data 
'data 

64 

160 
161 

139 

6, 

5 

|  1 

rev] 
•nd] 
•nd 

"ack5 

'data 
"ack 

65 

161 
120 

140 

10, 

4  : 

0 

rev 

'data 

162 

141 

9, 

5  ; 

0 

■nd 
rev 

'data 
'data 

162 
163 

142  | 

8, 

6 

0 

•nd_ 
rev 

'data 
'data 

163 
164 

143  | 

7, 

7  ; 

0 

•nd 

and 

'data 
"ack 

164 
165 

144  | 

7, 

o  : 

6 

rev 
•nd 
rev] 

"ackl 
"data 
"data 

1 
166 
167 

145  | 

8, 

o  ; 

6 

rev 
•nd 

rev 

"ack3 
"data 
"data 

4 

168 
169 

146  | 

7, 

l  ] 

5 

rev 
■nd 
rev 

"ack2 
"data 
"data 

5 
169 
170 

147  | 

9, 

o  ] 

6 

rcv_ 
•nd 
rev 

"ack5 
"data 
"data 

11 
171 
172 

148  | 

8, 

l  ] 

4 

rev 
•nd 
rev 

"ack4 

"data 
"data 

12 
172 
173 

149  | 

7, 

2  ] 

4 

rcv_ 
•nd 
rev 

~ack3 
"data 
'data 

13 
173 
174 

150  | 

10, 

0  ] 

6 

rev 
rev 

"ack7 
"data 

24 

175 

151  1 

9, 

1  ] 

4 

rev 
•nd 
rev_ 

]ack6 
data 
"data 

25 

175 
176 

152  [ 

8, 

2  ] 

3 

rev 
•nd 
rev 

"ack5 
"data 
"data 

26 
176 
177 

153  [ 

7, 

3  ] 

3 

rev] 
■nd_ 
rcv_ 

"ack  4 
data 
data 

27 

177 
178 

154  [ 

10, 

1  ] 

4 

rcv_ 
rev 

"ack  8 
"data 

46 

179 

155  [ 

9, 

2  ] 

2 

rcv_ 
•nd_ 
rcv_ 

]ack7 
data 
"data 

47 
179 
180 

156  [ 

8, 

3  ] 

2 

rev 
•nd 
rev 

'ack  6 
data 
data 

48 
180 
181 

157  I 

7, 

4  ] 

2 

rcv_ 
•nd_ 
rev 

"ack5 
data 
data 

49 
181 
182 

158  [ 

10, 

2  ] 

2 

rev_ 
rev_ 

]ack9 
data 

77 
183 

159  [ 

9, 

3  ] 

1 

rcv_ 
•nd 

'ack8 
'data 

78 
183 

95 


rev 

data 

184 

160 

8, 

4 

|  1 

rcv_ 
and' 
rev 

"ack7 
"data 
"data 

79 
184 
185 

161 

7, 

5 

|  1 

rcv_ 
and' 
rcv_ 

"ack  6 
"data 
"data 

80 
185 
186 

162 

10, 

5 

0 

rev" 

"data 

187 

163 

9, 

6 

0 

and' 
rev 

"data 
"data 

187 
188 

164 

8, 

7 

0 

and 
rev" 

"data 
'data 

188 
189 

165 

7, 

0 

7 

rev 
and 

"aclcO 
"data 

0 
190 

166 

8, 

0  ' 

7 

rev" 
and 
rev 

"ack2 
"data 
"data 

2 
191 
192 

167 

7, 

i  ; 

6 

rev] 
and 
and 

"ackl 
"data 
"ack 

3 
192 
165 

168  | 

9, 

o  ; 

7 

rev 
and] 

rev 

"ack4 

"data 
"data 

7 
193 
194 

169 

a, 

i  ; 

5 

rev 
and" 
rev 

"ack3 
"data 
"data 

8 

194 
195 

170  | 

7, 

2  : 

5 

rev] 
»nd_ 
and] 

"ack2 
"data 
"ack 

9 
195 
165 

171 

10, 

o  ; 

7 

rev 
rcv_ 

"ack  6 
"data 

17 
196 

172  | 

9, 

l  : 

5 

rev 
and 
rcv_ 

~ack5 
"data 
"data 

18 
196 
197 

173  | 

8, 

2  ; 

4 

rev 
and 
rev] 

"ack4 
"data 
"data 

19 
197 
198 

174  | 

7, 

3  : 

4 

rev 
and 
and 

"aclc3 
"data 
"ack 

20 
198 
165 

175  | 

10, 

l  • 

5 

rev 

rev 

"ac)c7 
"data 

35 
199 

176 

9, 

2  ; 

3 

rev 
and 
rev 

"ack  6 
"data 
"data 

36 
199 
200 

177 

8, 

3 

3 

rev 
and 
rev 

"ack5 
"data 
data 

37 
200 
201 

178 

7, 

4 

3 

rev 
and 
and 

"aclc4 
"data 
"aclc 

38 
201 
165 

179 

10, 

2 

3 

rev 
rcv_ 

~aclc8 
"data 

62 
202 

180 

9, 

3 

2 

rev] 
and 
rev] 

"ack7 
]data 
data 

63 
202 
203 

181 

8, 

4 

2 

rcv_ 

and 
rev 

"ack  6 
"data 
"data 

64 
203 
204 

182 

7, 

5 

1  2 

rev 

and 
and 

"ack5 
"data 
ack 

65 
204 
165 

183 

10, 

3 

|  1 

rev 

rcv_ 

"ack  9 
data 

97 
205 

184 

'  9, 

4 

|  1 

rev 

and 
rev 

"ack  8 

"data 
"data 

98 
205 
206 

185 

8, 

5 

|  1 

rev" 
and 
rcv_ 

[ack  7 
data 
"data 

99 
206 
207 

186 

[  7, 

6 

|  1 

rev 
and 
and 

~ack6 
"data 
"ack 

100 
207 
165 

96 


187 

[10, 

6 

]  o 

rcv_data  208 

188 

;  9, 

7 

1  o 

•nd_data  208 
rev  data  209 

189 

[  8, 

8 

1  o 

anddata  209 
•ndack   210 

190 

[  8, 

0 

)  8 

rev  ackl  1 
•nd_data  211 
rcv_data  212 

191 

[  9, 

0 

1  8 

rev  ack3  4 
anddata  213 
rcv_data  214 

192 

[  8, 

1 

I  « 

rev  ack.2  5 
anddata  214 
rcv_data  23  5 

193 

[10, 

0 

1  8 

rcv_ac)t5  11 
rcv_data  216 

194 

9, 

1 

1  6 

rev  ack4  12 
and_data  216 
rov_data  217 

195 

8, 

2 

5 

rev  ack.3  13 
and_data  217 
rev_data  218 

196 

10, 

1  ' 

6 

rcv_ack6  25 
rev_data  219 

197 

9, 

2  : 

4 

rev  ack.5  26 
and_data  219 
rev_data  220 

198 

8, 

3  ; 

4 

rcv_ac)c4  27 
and_data  220 
rcv_data  221 

199  | 

10, 

2  : 

4 

rcv_ack7  47 
rcv_data  222 

200  | 

9, 

3  : 

3 

rev  ack6  48 
and_data  222 
rcv_data  223 

201  | 

8, 

4  ] 

3 

rev  ack5  49 
and_data  223 
rcv_data  224 

202  | 

10, 

3  ] 

2 

rcv_ack8  78 
rcv_data  225 

203  | 

9, 

4  ] 

2 

rev  ack7  79 
and_data  225 
rcv_data  226 

204  | 

8, 

5  ] 

2 

rev  ack6  80 
and_data  226 
rev_data  227 

205  | 

10, 

4  ] 

1 

rcv_ack9  117 

rev  data  228 

206  | 

9, 

5  ] 

1 

rcv_ac)t8  118 
end  data  228 
rev_data  229 

207  [ 

8, 

6  ] 

1 

rev  ack7  119 
and_data  229 
rev_data  230 

208  [ 

10, 

7  ] 

0 

rev  data  231 

209  | 

9, 

8  : 

0 

and_data  231 
rcv_data  232 

210  ( 

8, 

o  : 

9 

rcv_ack0    0 

snd  data  233 

211  ( 

9, 

o  ] 

9 

rcv_ack2    2 

end  data  234 
rcv_data  235 

212  [ 

8, 

i  : 

7 

rev_acJcl  3 
and  data  235 

end  ack   210 

213  | 

10, 

o  ] 

9 

rev  ack.4  7 
rcv_data  236 

214  [ 

9, 

1  ] 

7 

rcv_ack3    8 

and  data  236 
rcv_data  237 

215  ( 

8, 

2  ] 

6 

rev  ack.2  9 
and  data  237 
and  ack   210 

97 


216 

10 

i  ; 

|  7 

rcv_ 
rev_ 

ack5 
'data 

18 
238 

217 

9 

2  - 

5 

rev 
•nd_ 
rev" 

"aek« 

"data 
"data 

19 
238 
239 

218 

8 

3  ' 

5 

rcv^ 
•nd_ 

and" 

"ack3 
'data 
"ack 

20 
239 
210 

219 

10 

2  : 

5 

rcv_ 
rcv_ 

'ack6 
'data 

36 

240 

220 

9 

3  : 

4 

rev" 
and" 
rcv_ 

"ack5 
'data 
'data 

37 
240 
241 

221 

8 

4  ; 

4 

rcy_ 
and 

•nd 

'ack4 
'data 
"ack 

38 
241 
210 

222 

10 

3  : 

3 

rev" 
rev 

"ack7 
'data 

63 
242 

223  | 

9 

4  : 

3 

rcv_ 
and" 
rev 

'ack6 
'data 
'data 

64 
242 

243 

224  | 

8 

5  ; 

3 

rev" 
and" 
and 

'ack5 
'data 
"ack 

65 
243 

210 

225 

10 

4  ; 

2 

rev 
rev" 

'ack8 
'data 

98 
244 

226 

9 

5  : 

2 

rev] 

•  nd 
rev 

"ack7 
'data 
'data 

99 
244 

245 

227  | 

8 

6  : 

2 

rev 

■nd 
and 

'ack  6 
'data 
"ack 

100 
245 
210 

228 

10 

s  : 

1 

rev 
rev 

'ack  9 
'data 

141 
246 

229 

9 

6  : 

1 

rcv_ 

•  nd 
rev 

'ack8 
'data 
'data 

142 
246 
247 

230 

8 

7  ; 

1 

rev 
and 
and 

"ack  7 
'data 
ack 

143 
247 
210 

231 

10 

8 

0 

rev 

'data 

248 

232 

9 

9  ; 

0 

and 
and 

"data 
"ack 

248 
249 

233 

9 

o  ; 

10 

rev 
and 
rev 

"ackl 
data 
'data 

1 
250 
251 

234 

10 

0 

10 

rev 
rev 

"ack3 
'data 

4 
252 

235 

9 

l 

8 

rev 
and 
rcv_ 

"ack2 
'data 
'data 

5 
252 
253 

236 

10 

l 

8 

rev 
rev" 

'aok4 
'data 

12 
254 

237 

,  9 

2 

6 

rev" 
and 

rev] 

'ack  3 
'data 
'data 

13 
254 
255 

238 

10 

2 

6 

rev 
rev 

"ack5 
'data 

26 
256 

239 

[  9 

3 

1  5 

rev 
and 
rev 

'ack  4 
data 
'data 

27 
256 
257 

240 

[10 

3 

1  4 

rev 
rcv_ 

'ack  6 
'data 

48 
258 

241 

[  9 

4 

i  4 

rev 
and 
rev 

ack5 
data 
'data 

49 
258 
259 

242 

[10 

4 

I  3 

rev 
rev 

"ack  7 
'data 

79 
260 

243 

[  9 

5 

1  3 

rev 
•nd 
rev 

ack  6 
'data 
"data 

80 
260 
261 

244 

[10 

5 

1  2 

rev 
rev 

~ack8 
'data 

118 
262 

98 


245 

[  9, 

6 

]  2 

rev 

and 
rev 

•  cJc7 
"data 
"data 

119 
262 
263 

246 

[10, 

6 

]  1 

rev 

rev 

"aek  9 
"data 

163 
264 

247 

[  9, 

7 

)  1 

rev 
•nd 
rev* 

•ck.8 
"data 
"data 

164 
264 
265 

248 

[10, 

9 

1  o 

rev 

"data 

266 

249 

9, 

0 

111 

rev" 

•  nd 

"ackO 
"data 

0 
267 

250 

[10, 

0 

111 

rev 
tcv 

~ack2 
"data 

2 
268 

251 

'  9, 

1 

1  9 

rev 
and 

•  nd 

"ackl 
"data 
"acJc 

3 
268 
249 

252 

10, 

1 

1  9 

rev 
rev 

"ack3 
'data 

8 
269 

253 

9, 

2 

1  7 

rev 
•  nd 
■nd 

~ack2 
"data 
"aek 

9 
269 
249 

254 

10, 

2 

7 

rev" 

rev 

~ack4 

"data 

19 
270 

255 

9, 

3  ; 

6 

rev 
•nd 
•nd 

"ack3 
"data 
'aek 

20 
270 
249 

256  | 

10, 

3  : 

5 

rev 
rev 

"ac)c5 
'data 

37 

271 

257  | 

9, 

4  : 

5 

rcv_ 
•nd' 

•  nd_ 

"aek  4 
'data 
"aek 

38 
271 
249 

258  | 

10, 

4  ; 

4 

rev] 
rev 

[aek  6 
data 

64 
272 

259  | 

9, 

5  ; 

4 

rev 
•  nd 
■nd] 

"ack5 
'data 

"aek 

65 
272 
249 

260  | 

10, 

5  ] 

3 

rev] 

rev 

"ack7 
'data 

99 

273 

261  | 

9, 

6  ] 

3 

rev 

snd_ 
■nd 

"aek  6 
'data 
"aek 

100 
273 
249 

262  | 

10, 

6    ] 

2 

rev 
rev 

"aek  8 
'data 

142 
274 

263  | 

9, 

7    ] 

2 

rcv_ 

•  nd 
■nd' 

"aek  7 
'data 
"aek 

143 
274 
249 

264  | 

10, 

7  ] 

1 

rev 
rev 

[aek  9 
data 

188 
275 

265  | 

9, 

8  ] 

1 

rev 
■nd 
■nd 

jack  8 
data 
"aek 

189 
275 
249 

266  | 

10, 

10  ] 

0 

•nd 

"aek 

276 

267  | 

10, 

o  : 

12 

rev 
rev 

"ackl 
'data 

1 
277 

268  | 

10, 

1  ] 

10 

rev 
rev 

>ck2 
data 

5 
278 

269  | 

10, 

2  ] 

8 

rev 
rev 

"ack3 
'data 

13 
279 

270  | 

10, 

3  ] 

6 

rcv_ 
rev 

'aek  4 

'data 

27 

280 

271  | 

10, 

4  ] 

5 

rev 
rev 

"ack5 

"data 

49 
281 

272  | 

10, 

5  ] 

4 

rev 

rcv_ 

'aek  6 
'data 

80 
282 

273  | 

10, 

6  1 

3 

rev 
rev 

]ack7 
data 

119 
283 

274  | 

10, 

7  ] 

2 

rev 
rev 

"aek  8 
data 

164 
284 

275  | 

10, 

8  ] 

1 

rev 
rev 

"aek  9 
[data 

209 
285 

276  | 

10, 

0  ] 

13 

rev 

"ackO 

0 

277  | 

10, 

i  ; 

11 

rcv_ 
■nd 

"ackl 
"aek 

3 
276 

99 


278 
279 
280 
281 
282 
283 
284 
285 

SUMMARY  OF  REACHABILITY  ANALYSIS  (ANALYSIS  COMPLETED) 

Number  of  state*  generated  :286 
Number  of  «t»te«  analyzed   28  6 
Number  of  deadlocks  :  0 

UNEXECUTED  TRANSITIONS 
*****N0NE***** 


[10, 

2 

] 

9 

rcv_aok2 

and    ack 

9 

276 

[10, 

3 

] 

7 

rcv_ack3 

and   ack. 

20 
276 

[10, 

4 

] 

6 

rcv_acM 

and_ack 

38 
276 

[10, 

5 

] 

5 

rcv_ack5 
and  ac)c 

65 

276 

[10, 

6 

] 

4 

rcv_ack6 
snd_ac)c 

100 
276 

[10, 

7 

] 

3 

rcv_acJt7 
and_ack 

143 
276 

[10, 

8 

] 

2 

rcv_aclc8 
and_adc 

189 
276 

[10, 

9 

] 

1 

rcv_ack9 
•nd  ack 

232 
276 

100 


APPENDIX  C  ( Token  Bus  Protocol ) 
FSM  Text  File 


•tart 

numb*r_ox_machin*s  8 

machine  1 

•tat*  0 

trint  rcvl  1 

trans  g*t_tkl  2 

•tat*  1 

trans  readyl  0 

•tat*  2 

trans  Xmltl  3 

trans  passl  0 

•tat*  3 

trans  mor*Dl  2 

trans  pass_t)tl  0 

nachin*  2 

stat*  0 

trans  rcv2  1 

trans  g*t_tk2  2 

stat*  1 

trans  r*ady2  0 

stat*  2 

trans  Xmit2  3 

trans  pass2  0 

stat*  3 

trans  mor*D2  2 

trans  pass_tk2  0 

ma  chin*  3 

stat*  0 

trans  rcv3  1 

trans  g*t_tk3  2 

stat*  1 

trans  r*ady3  0 

stat*  2 

trans  Xmit3  3 

trans  pass3  0 

stat*  3 

trans  mor*D3  2 

trans  pass_t)c3  0 

machine  4 

stat*  0 

trans  rcv4  1 

trans  g*t_tk4  2 

stat*  1 

trans  ready 4  0 

stat*  2 

trans  Xmit4  3 

trans  pass4  0 

stat*  3 

trans  moreD4  2 

trans  pass_tk4  0 

ma  chin*  5 

stat*  0 

trans  rcv5  1 

trans  g*t_tk5  2 

stat*  1 

trans  ready 5  0 

state  2 

trans  XmitS  3 

trans  pass5  0 

state  3 
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trana  moraDS  2 

trana  paaa_tk5  0 

machina  6 

atata  0 

trana  rcv6  1 

trana  gat_tk6  2 

atata  1 

trana  raady6  0 

atata  2 

trana  Xmit6  3 

trana  paaa6  0 

atata  3 

trana  mor«D6  2 

trana  paaa_tk6  0 

macbina  7 

atata  0 

trana  rcv7  1 

trana  gat_tk7  2 

atata  1 

trana  raady7  0 

atata  2 

trana  Xmit7  3 

trana  paaa7  0 

atata  3 

trana  mor«D7  2 

trana  paaa_tk7  0 

ma china  8 

atata  0 

trana  rcv8  1 

trana  gat_tk8  2 

atata  1 

trana  raadyS  0 

atata  2 

trana  Xmit8  3 

trana  paaa8  0 

atata  3 

trana  mor«D8  2 

trana  paaa_tk8  0 

initial_atate   00000000 

finish 
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Variable  Definitions  (No  Message  in  outbuf  Variables) 

with  TEXT_IO;  uae  TEXT_IO; 

package  definition*   1» 

num_of_machinea  :  constant  :«  8; 

k  :  constant  :■  7;  --  number  of  rows  (messages)  in  output  buffer 
type  acm_transition_typa  is  (passl,pass2,paas3,  pass4,pass5,pass6, 

pass7, pass 8, get_tkl, get_tk2, 
get_tk3 ,  get_tk4 ,  get_tk5 ,  gat  tk6 , 
gat_tk7,gat_tk8, Xmitl, Xmit2,  Xmit3, 
Xmit 4 , Xmit5 , Xmit 6 , Xmit 7 , Xmit8 , moraDl , 
moreD2 , moraD3 , moreD4 , mor«D5 , 
moreD  6 ,  moreD7 ,  mor«D8 ,  pass_tk4 ,  pass_tk5 , 
pass_tk6 , pass_tk7 , pass_tk8 , 
pass_tkl , pass_tk2 , pass_tk3 , 
rcvl , rcv4 , rcv5 , rov6 , rcv7 , rcv8 , 
rcv2 , rcv3 , ready 1 , ready2 ,  ready 3 , 
ready 4 , ready 5, ready 6, ready?, ready 8, unused)  , 

type  dummy_type  is  range  1..255; 

type  t_field_type  is  (D,T,E); 

package  t_field_enum_io  is  new  enumeration_IO(t_f ield_type)  ; 

use  t_field_enum_io; 

type  MEDIUM_TYPE  is 
record 

t  :  t_field_type; 

DA  :  integer  range  1 . . 8 ; 

SA  :  integer  range  1 .  8 ; 

data  :  character; 
end  record ; 

type  input_buffer_type  is 
record 

DA  :  integer  range  0..8  :=0; 

SA  :  integer  range  0..8  :=0; 

data  :  character  :■  'E'; 
end  record; 

type  output_buf fer_type  is  array  (l..k)  of  MEDIOM_TYPE; 

type  machinel_state_type  is 
record 

next  :  integer  :  =  2;  — address  of  downstream  neighbor 

i  :   integer  :=  1;  —  stations  own  address 

ctr  :  integer  range  L.(k-t-l)  :■  1;  —  counter  for  messages  sent 

j  :  integer  range  l..k  :=  1;  --  index  for  output  buffer 

inbuf  :  input_buf fer_type;   --  stores  the  received  messages 

outbuf  :  output_buffer_type  :=  (  (E, 2, 1,  ' I ' )  ,  (E, 3, 1,  'I ' ) , 


(E,4,l,  ■!•),  (E,5,l,  'I')  , 

(E.6,1,  'I'),  (E,7,l,  •!•),  (E,8,l,  '!«)  ) 


end  record. 


type  machine2_state_type  is 
record 

next  :  integer  :■  3;  --address  of  downstream  neighbor 

i  :  integer  :=  2;  --  stations  own  address 

ctr  :  integer  range  l..(k+l):=  1;  --  counter  for  messages  sent 

j  :  integer  range  l..k  :=  1;  --  index  for  output  buffer 

inbuf  :  input_buf fer_type;   --  stores  the  received  messages 

outbuf  :  output_buffer_type  :=  ( (E, 1, 2,  ' I ' ) ,  (E, 3, 2,  '1 • ) , 


(E,4,2,  'I'),  (E,5,2,  'I'), 

<E,6,2,  •!'),  (E,7,2,  '!■),  (E,8,2,  •!')  ) 


end  record ; 


type  machine3_state_type  is 
record 

next  :  integer  :=  4;  --address  of  downstream  neighbor 

i  :  integer  :=  3;  --  stations  own  address 

ctr  :  integer  range  1.  (k+1)  :=  1;  --  counter  for  messages  sent 
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j  :  integer  rang*  1 . .  Jc  :■  1 ; 
inbuf  :  input_buffer_type; 
outbuf  :  output_buffer_type 


•nd  record; 


-  index  for  output  buffer 
■tore*  the  reoeived  meaaagea 
((E,l,3, 'I'), (E,2,3, 'I'), 
<E,4,3, •!'), (E,5,3, 'I'), 
(E,6,3, 'I'), (E,7,3, 'I'), (E,8,3, 'I')  ) 


type  macbine4_atate_type  ia 
record 
next  :  integer  :■  5;  — addreaa  of  downatream  neighbor 
i  :  integer  :=•  4;  —  atationa  own  addreaa 

ctr  :  integer  range  l..(k+l)  :=  1;  —  counter  for  meaaagea  aent 
j  :  integer  range  1. .k  :■  1;  —  index  for  output  buffer 
inbuf  :  input_buf f er_type ;   —  atorea  the  received  meaaagea 
outbuf  :  output_buffer_type  :«  ( (E, 1, 4, 'I' ) , (E, 2, 4, 'I' ) , (E, 3, 4, 'I ■ ) , <E, 5, 4, 

(E,6,4, •!•),  <E,7,4, 'I'), (E,8,4, 'I')  ); 
end  record; 


I'), 


type  machine5_atate_type  ia 
record 

next  :  integer  :■  6;  --addreaa  of  downatream  neighbor 
i  :  integer  :=•  5;  —  atationa  own  addreaa 

ctr  :  integer  range  l..(k+l)  :■  1;  —  counter  for  meaaagea  aent 
j  :  integer  range  l..k  :=  1;  --  index  for  output  buffer 
inbuf  :  input_buffer_type;   --  atorea  the  received  meaaagea 
outbuf  :  output_buffer_type  :=  ( (E, 1, 5, ' I ■ ) , (E, 2, 5, 'I' ) , (E, 3, 5, "I1 

(E,6,5,  'I'),  (E,7,5,  'I'),  (E,8,5,  'I' 
end  record ; 


(E,4,5, 'I'), 

); 


type  machine6_atate_type  ia 
record 

next  :  integer  :=  7;  --addreaa  of  downatream  neighbor 

i  :  integer  :=  6;  —  atationa  own  addreaa 

ctr  :  integer  range  l..(k+l)  :  =  1;  --  counter  for  meaaagea  aent 

j  :  integer  range  l..k  :=  1;  --  index  for  output  buffer 

inbuf  :  input_buf fer_type;   —  atorea  the  received  meaaagea 

outbuf  :  output_buffer_type  :»  ( (E,  1, 6,  'I ' ) ,  (E,  2,  6,  ' I' )  ,  (E, 3, 6,  'I ' )  ,  (E, 4, 6,  'I' ) , 

(E,5,6,  'I«)f  (E,7,6,  'I'),  (E,8,6,  'I')  )  ; 
end  record; 


type  machine 7_atate_type  ia 

record 

next  :  integer  :■  8;  — addreaa  of  downatream  neighbor 
i  :  integer  :«■  7;  —  atationa  own  addreaa 

ctr  :  integer  range  l..(k+l)  :=  1;  —  counter  for  meaaagea  aent 
j  :  integer  range  1. .k  :=  1;  —  index  for  output  buffer 
inbuf  :  input_buffer_type;   —  atorea  the  received  meaaagea 
outbuf  :  output_buffer_type  :=  ( (E,  1,  7,  '  I ' ) ,  (E,  2,  7,  'I' )  ,  (E,  3,  7,  'I ') 

(E,5,7,  "I"),  (E,6,7,  'I'),  (E,8,7,  'I') 

end  record; 


<E,4,7, -I'), 

); 


type  machine8_atate_type  ia 

record 
next  :  integer  :=  1;  --addreaa  of  downatream  neighbor 
i  :  integer  :=  8;  —  atationa  own  addreaa 

ctr  :  integer  range  l..(k+l)  :=  1;  --  counter  for  meaaagea  aent 
j  :  integer  range  l..k  :=  1;  --  index  for  output  buffer 
inbuf  :  input_buf fer_type;   —  atorea  the  received  meaaagea 

outbuf  :  output_buffer_type  :=  ( (E, 1, 8,  'I ' ) ,  (E, 2, 8,  ' I' ) ,  (E, 3, 8,  ' I ' ) ,  (E, 4, 8,  ■ I ' ) , 

(E,5,8,  'I'),  (E,6,8,  'I'),  (E,7,8,  'I')  )  ; 

end  record ; 

type  global_variable_type  ia 
record 

MEDIUM  :  MEDIOM_TYPE  :  =  (T, 1, 2,  "N  ' )  ; 
end  record, 

end  definitions; 
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Variable  Definitions(  One  Message  in  outbuf  Variables) 

with  TBXT_IO;  us*  TEXT_IO; 
package  definitions   is 

num_of_mjchin«i  :  constant  :■>  8; 

k  :  constant  :■  7;  --  number  of  rows  (massages)  in  output  buffer 
type  scm_transition_typa  is  (passl,pass2,pass3,  pass4,pass5,pass6, 

pass7, passS, get_tkl, get_tk2, 
get_tk3,get  tk4,get_tk5,get_tk6, 
get_tk7,get~t*8,Xmitl,Xmit2,Xmit3, 
Xmit4, Xmit5, Xmit6, Xmit7, Xmit8, moreDl, 
moraD2 , mor*D3 , mor«D4 , moreDS, 
moraD6, mor*D7 , mor*08, pass_tk4, pass_tk5 , 
pass_tk6, pass_tk7 , pass_tk8 , 
pass_tkl , pass_tk2 , pass_tk3 , 
rcvl , rcv4 , rcv5 , rcv6, rcv7 , rcv8 , 
rcv2 , rcv3 , raadyl , ready 2 , ready 3 , 
ready 4 , ready 5 , ready 6, ready? , ready 8 , unused) ; 

type  dummytype  is  range  1..255; 

type  t_field_type  is  <D,T,E); 

package  t_field_enum_io  is  new  enumaration_IO(t_field_type) ; 

use  t_field_enum_io; 

type  MEDIUM_TYPE  is 
record 

t  :  t_field_type; 
DA  :  integer  range  1 . .  8 ; 
SA  :  integer  range  1 . . 8 ; 
data  :  character; 
end  record ; 

type  input_buffer_type  is 
record 

DA  :  integer  range  0 . . 8  : =0 ; 
SA  :  integer  range  0 . . 8  : =0 ; 
data  :  character  :■  'E'; 
end  record; 

type  output_buffer_type  is  array  (l..k)  of  MEDIUM_TYPE; 

type  machinel_state_type  is 
record 

next  :  integer  :=  2;  — address  of  downstream  neighbor 

i  :   integer  :=  1;  —  stations  own  address 

ctr  :  integer  range  l..(k+l)  :■  1;  --  counter  for  messages  sent 

j  :  integer  range  l..k  :■  1;  --  index  for  output  buffer 

inbuf  :  input_buf fer_type;   --  stores  the  received  messages 

outbuf  :  outputbuffer  type  :=  ( (D, 2, 1, ' I ' ) , (E, 3, 1, ' I ' ) , 


(K,4,l,  'I'),  (E,5,l,  'I'), 

(B, 6,1, 'I'), (E,7,l, 'I'), (E,8,l, 'I')  ) 


end  record ; 


type  machine2_state_type  is 
record 

next  :  integer  :=  3;  --address  of  downstream  neighbor 

i  :  integer  :«  2;  --  stations  own  address 

ctr  :  integer  range  1. . (k+1) :«  1;  —  counter  for  messages  sent 

j  :  integer  range  l..k  :=  1;  --  index  for  output  buffer 

inbuf  :  input_buf fer_type;   --  stores  the  received  messages 

outbuf  :  output_buffer_type  :=  ( (D,l,2, '!') , (B,3,2, 'I') , 


(E,4,2,  'I'),  (E,5,2,  'I'), 

(E,6,2,  'I'),  (E,7,2,  'I')  ,  (E,8,2,  •!"■)  ) 


end  record; 


type  machine3_state_type  is 
record 

next  :  integer  :«  4;  --address  of  downstream  neighbor 

i    integer  :=  3;  --  stations  own  address 

ctr  :  integer  range  l..(k-fl)  :=  1;  --  counter  for  messages  sent 
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j  :  integer  rang*  1 . . k  :■  1 ; 
inbuf  :  input_buffer_type; 
outbuf  :  output_buffer_type 


•nd  record; 


—  index  for  output  buffer 
—  stores  the  received  messages 
:-  <(D,1,3,  ■!■),  (E,2,3,  'I'), 

(E,4,3,  ■!'),  (B,5,3,  'I'), 

(B,6,3,  'I'),  (E,7,3,  •!'),  (E,8,3,  'I') 


type  machine4_state_type  ia 

record 
next  :  integer  :■  5;  --addreaa  of  downstream  neighbor 
i  :  integer  :«■  4;  —  atationa  own  addreaa 

ctr  :  integer  range  l..(k+l)  :»  1;  —  counter  for  meaaagea  aent 
j  :  integer  range  l..k  :■»  1;  --  index  for  output  buffer 
inbuf  :  input_buffer_type;   —  atorea  tbe  received  meaaagea 

outbuf  :  output_buffer_type  :-  ( (D, 1, 4,  'I* ) ,  (E,2, 4,  'I' ) , (E, 3, 4, *I') , (E,5, 4,  'I' ) , 

<E,6,4, '!•), (E,7,4, 'I'), (E,8,4, ■!■)  ); 

end  record; 

type  machineS_atate_type  ia 
record 

next  :  integer  :■  6;  — addreaa  of  downstream  neighbor 
i  :  integer  :-  5;  —  atationa  own  addreaa 

ctr  :  integer  range  l..(k+l)  :«  1;  —  counter  for  meaaagea  aent 
j  :  integer  range  l..k  :=  1;  —  index  for  output  buffer 
inbuf  :  input_buffer_type;   ~  atorea  the  received  meaaagea 

outbuf  :  output_buffer_type  :=  ( (D, 1, 5,  'I' ) ,  (E, 2, 5,  'I' ) ,  (E, 3, 5,  ' I ' ) , (E, 4, 5,  'I' ) , 

(E,6,5,  'I'),  (E,7,5,  'I'),  <E, 8,5,  'I')  )  ; 
end  record; 

type  ffiachi.ne6_ata.te_ type  is 
record 

next  :  integer  :=  7;  --addreaa  of  downatream  neighbor 

i  :  integer  :=  6;  —  atationa  own  addreaa 

ctr  :  integer  range  l..(k+l)  :=  1;  --  counter  for  meaaagea  aent 

j  :  integer  range  l..k  :«  1;  --  index  for  output  buffer 

inbuf  :  input_buf f er_type ;   —  atorea  the  received  meaaagea 

outbuf  :  output_buffer_type  :=  ( (D, 1, 6,  'I  ■ ) ,  (E, 2, 6,  'I' ) ,  (E, 3, 6, •!• ) ,  (E, 4, 6,  'I ' ) , 

(E,5,6,  'I'),  (E,7,6,  'I'),  (E,8,6,  •!•)  )  ; 
end  record; 


type  machine 7_atate_type  ia 

record 

next  :  integer  :=  8;  --addreaa  of  downatream  neighbor 
i  :  integer  :•■»  7;  --  atationa  own  addreaa 

ctr  :  integer  range  l..(k+l)  :=  1;  —  counter  for  meaaagea  aent 
j  :  integer  range  l..k  :*  1;  --  index  for  output  buffer 
inbuf  :  input_buf f er_type ;   —  atorea  the  received  meaaagea 
outbuf  :  output_buffer_type  :=  ( (D, 1, 7,  'I ' ) ,  (E, 2, 7,  'I' ) ,  (E, 3, 7,  •  I ' 

(E,5,7, 'I'), (E,6,7, •!•), (E,8,7, 'I' 

end  record ; 


(E,4,7,  •!•), 

); 


type  machine8_atate_type  is 
record 
next  :  integer  :=  1;  — addreaa  of  downstream  neighbor 
i  :  integer  :=  8;  —  stations  own  address 

ctr  :  integer  range  l..(k+l)  :=  1;  --  counter  for  messages  sent 
j  :  integer  range  l..k  :=  1;  —  index  for  output  buffer 
inbuf  :  input_buffer_type;   --  atorea  the  received  meaaagea 

outbuf  :  output_buffer_type  :=  ( (D,  1,  8,  'I ' )  ,  (E,  2,  8,  'I' )  ,  (E,  3,  8,  'I ' )  ,  (E,  4,  8,  'I  • ) 

(E,5,8,  'I'),  (E,6,8,  'I'),  (E,7,8,  •!•)  )  ; 
end  record; 

type  global_variable_type  ia 
record 

MEDIUM  :  MEDIUM_TYPE  := (T, 1, 2, 'E ' ) ; 
end  record; 

end  definitions; 
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Variable  Definitions 

There  are  seven  messages  in  outbuf  variable  of  each  machine  and  each  machine  sends 
one  message  to  the  other  machines  in  the  network. 

with  TKXT_IO;  us*  TEXT_IO; 
package  definitions   is 

num_of_ma chines  :  constant  :«  8; 

k  :  constant  :■  7;  --  number  of  rows  (massages)  in  output  buffer 

type  scm_transition_type  is  (passl,paaa2,pass3,  pass4,pass5,pass6, 

pass7 , pass8 , g*t_tk 1 , get_tk2 , 

get_tk3 , get_tk4 , get_tk5 , get_tk6 , 

gat_tk7, get_tk8, Xmitl,  Xmit2, Xmit3, 

Xmit4, Xmit5, Xmit6, Xmit7, Xmit8, moreDl, 

mor*D2 , mor*D3 , moreD4 , moreDS , 

moreD6, moreD7 , more08 , pass_tk4 , pass_tkS , 

pass_tk6,pass_tk7,pass_tk8, 

pass_tkl , pass_tk2 , pass_tk3 , 

rcvl , rcv4 , rcv5 , rcv6 , rcv7 , rcv8 , 

rcv2 , rcv3 , ready 1 , ready 2 ,  ready 3 , 

ready4, ready5,  ready 6,  ready?,  readyd, unused) ; 

type  dummy_type  is  range  1..255; 

type  t_field_type  is  (D,T,E); 

package  t_field_enum_io  is  new  enumeration_IO(t_field_type) ; 

use  t  field  •nun  io; 


type  MEDIUMTYPE  is 

record 

t  : 

t_field_ 

type; 

DA  : 

integer  range  1 . 

-8; 

SA  : 

integer  range  1 . 

.8; 

dati 

i  :  character; 

end  record; 

type  input 

_buf  fer_ 

type  is 

record 

DA  : 

integer 

range  0 . . 

8  : 

=0; 

SA  : 

integer 

range  0 . . 

8  : 

=0; 

data 

:  character  : =  ' E ' ; 

end  record ; 
type  output_buffer_type  is  array  (l..k)  of  MEDIUM_TYPE; 

type  machinel_state_type  is 
record 

next  :  integer  :=  2;  — address  of  downstream  neighbor 

i  :   integer  :=  1;  --  stations  own  address 

ctr  :  integer  range  l..(k+l)  :=  1;  —  counter  for  messages  sent 

j  :  integer  range  l..k  :=  1;  --  index  for  output  buffer 

inbuf  :  input_buf fer_type;   —  stores  the  received  messages 

outbuf  :  output_buffer_type  :=  ( (D, 2, 1, 'I' ) , (D, 3, 1, ' I' ) , 


(D,4,l,  -I'),  (D,5,l,  'I'), 

(D,6,l,  'I'),  (0,7,1,  'I'),  (D,8,l,  'I') 


end  record ; 


type  machine2_state_type  is 
record 

next  :  integer  :=  3;  --address  of  downstream  neighbor 

i  :  integer  :=  2;  --  stations  own  address 

ctr  :  integer  range  l..(k+l):=  1;  --  counter  for  messages  sent 

j  :  integer  range  1. . k  :=  1;  —  index  for  output  buffer 

inbuf  :  input_buf fer_type;   --  stores  the  received  messages 

outbuf  :  output  buffer  type  :=  ( (D, 1, 2,  'I ' ) ,  (D, 3, 2,  '  I ' ) , 


end  record ; 


(D,4,2, "I"), (D,5,2, 'I') , 

(D,6,2,  'I'),  (D,7,2,  •!•),  (D,8,2,  'I') 
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type  machine3_state_type  is 
record 

next  :  integer  :■  4;  — address  of  downstream  neighbor 

i  :  integer  :■  3;  —  station*  own  address 

ctr  :  integer  range  l..(k+l)  :■  1;  —  counter  for  messages  sent 

j  :  integer  range  l..k  :■  1;  --  index  for  output  buffer 

inbuf  :  input_buffer_type; 

outbuf  :  output_buf fer_type 


end  record ; 


stores  the  received  messages 
(<D,1,3, ■!•), (D,2,3, 'I') , 

(D,4,3,  'I') ,  (D,5,3,  'I'), 

(D,6,3, 'I'), (D,7,3, '!•), (D,8,3, 'I')  )  ; 


type  macbine4_state_type  is 

record 
next  :  integer  :«•  5;  — address  of  downstream  neighbor 
i  :  integer  :■  4;  --  stations  own  address 

ctr  :  integer  range  l..(k+l)  :■  1;  —  counter  for  messages  sent 
j  :  integer  range  l..k  :■  1;  --  index  for  output  buffer 
inbuf  :  input_buffer_type;   --  stores  the  received  messages 

outbuf  :  output_buffer_type  :=  ( (D, 1, 4, 'I') ,  (D,2,4,  •!') , (D,3, 4, 'I') , (D, 5, 4, 'I') , 

(D,6,4,  ■!•),  (D,7,4,  'I'),  <D,8,4,  •!■)  ); 

end  record; 


type  machine5_state_type  is 
record 

next  :  integer  :=  6;    --address  of  downstream  neighbor 
i  :  integer  :«■  5;  —  stations  own  address 

ctr  :  integer  range  l..(k+l)  :=  1;  —  counter  for  messages  sent 
j  :  integer  range  l..k  :«■  1;  --  index  for  output  buffer 
inbuf  :  input_buf f er_type ;   --  stores  the  received  messages 
outbuf  :  output_buffer_type  :«  ( (D,  1,  5,  '  I ' )  ,  (D,  2,  5,  '  I ' )  ,  (D,  3,  5, 

(D,6,5,  '!■),  <D,7,5,  'I'),  (D,8,5, 
end  record; 


(D,4,5, 'I'), 

); 


type  machine6_state_type  is 

record 
next  :  integer  :■=  7;  — address  of  downstream  neighbor 
i  :  integer  :=  6;    —  stations  own  address 

ctr  :  integer  range  l..(k+l)  :=  1;  --  counter  for  messages  sent 
j  :  integer  range  l..k  :=  1;  --  index  for  output  buffer 
inbuf  :  input_buffer_type;   --  stores  the  received  messages 
outbuf  :  output_buffer_type  :*  ( (D, 1, 6,  'I ■ ) ,  (D, 2, 6,  ' I ■ ) ,  (D, 3, 6, 

(D,5,6,  'I')  ,  (D,7,6,  "I"),  (D,8,6, 

end  record ; 


(D,4,«. •!-), 

); 


type  machine 7_state_type  is 
record 

next  :  integer  :=  8;  --address  of  downstream  neighbor 

i  :  integer  :=  7;  —  stations  own  address 

ctr  :  integer  range  l..(k+l)  :=  1;  --  counter  for  messages  sent 

j  :  integer  range  l..k  :=  1;  --  index  for  output  buffer 


inbuf  :  input_buffer_type; 
outbuf  :  output_buf fer_type 


--  stores  the  received  messages 


((0,1,7, •!•), (D,2,7, 'I') 
(D,5,7, '!■), (D,6,7, ■!*) 


(D,3,7,  'I"),  (D,4,7,  '!•), 
(D,8,7, •!•)  ); 


end  record ; 
type  machine8_state_type  is 
record 
next  :  integer  :=  1;  — address  of  downstream  neighbor 
i  :  integer  :=  8;  —  stations  own  address 
ctr  :  integer  range  1. . (k+1)  :■  1;  —  counter  for  mesi 


»nt 


j  :  integer  range  l..k  :=  1; 
inbuf  :  input_buffer_type; 
outbuf  :  output_buf fer_type 


--  index  for  output  buffer 
--  stores  the  received  messages 

:=  ((D,l,8,  '!•),  (D,2,8,  'I'),  (D,3,8,  ■!•),  (D,4,8,  'I'), 
(D,5,8, 'I') , (D,6,8, '!') , (D,7,8, 'I')  ) ; 


end  record; 
type  global_variable_type  is 
record 

MEDIUM  :  MEDIUM_TYPE  :- (T, 1, 2,  'N  ' ) ; 
end  record ; 

end  definitions; 
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Predicate-Action  Table 

separate (main) 

procedure  Analyze_Predicates_Machinel (local  :  machine l_atate_type; 

global  :  global_variable_type; 

•  :  natural; 

w    :    in   out    tranaition_atack  jpackage  .  stack.)       la 

begin 

ctt*   a   la 

whan  0  => 

if  (  (global. MEDIUM. t  -  D)  and  (global .MEDIUM. DA  *  local. i)  )  then 

push(w, rcvl) ; 
end  if; 
if  (  (global. MEDIUM. t  -  T)  and  (global .MEDIUM. DA  -  local. i)   )  then 

puah(w,get_tkl)  ; 
end  if; 

when  1  »> 

puah (w, readyl) ; 
when  2  -> 

if   (local. outbuf (local. j) .t  /=  E)  then 

push(w,Xmitl) ; 
end  if; 
if  (  local. outbuf (local. j) .t  =  E  )  then 

puah(w,paaal) ; 
end  if; 
when  3  => 

if  (  (global. MEDIUM. t  -  E)  and  (local .outbuf (local . j) .t  /=  E)  and 
(local. ctr  <=  1c)  )  then 
push (w, moreDl) ; 
end  if; 

if  (  (global. MEDIUM. t  ■  E  )  and  (  (local .outbuf (local . j) .t  ■  E) 
or  (local. ctr  =  (k+1)  )  )  )  then 
push(w,  pass_tkl) ; 
end  if; 
when  others  => 
null; 
end  case; 
end  Analyze_Predicates_Machinel; 

aeparate (main) 

procedure  Analyze_Predicates_Machine2 (local  :  machine2_state_type; 

global  :  global_variable_type; 

a  :  natural; 

w  :  in  out  transit ion_etack._package  .stack)   ia 

begin 

caae  a  is 
when  0  => 

if  (  (global. MEDIUM. t  =  D)  and  (global .MEDIUM. DA  =  local.!)  )  then 

puah  (w,  rcv2)  ; 
end  if; 
if  (  (global. MEDIUM. t  ■  T)  and  (global .MEDIUM. DA  =  local. i)   )  then 

puah(w,get_tk2) ; 
end  if; 

when  1  => 

puah (w, ready2) ; 
when  2  => 

if   (local. outbuf (local. j) .t  /=  E)  then 

push(w,Xmit2) ; 
end  if; 
if  (  local. outbuf (local. j) .t  =  E  )  then 

push(w,pass2) ; 
end  if; 
when  3  => 

if  (  (global. MEDIUM. t  -  E)  and  (local .outbuf (local . j) .t  /=  E)  and 
(local. ctr  <=  k)   )then 
puah (w, moreD2) ; 
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•nd  if; 

if  (  (global. MEDIUM. t  -  B  )  and  (  (local .outbuf (local . j) .t  -  B) 
or  ( local. ctr  -  (k+1)  )  )  )  than 
puah(w,  paaa_tk2) ; 
•nd  if; 
whan  othara  => 
null; 
and  caaa; 
and  Analyze_Predicates_Machina2; 

aaparata (main) 

procadura  Analyze_Predicates_Machine3 (local  :  machine3_state_type; 

global  :  global_variable_typa; 

a  :  natural ; 

w  :  In  out  transit ion_«tack_package. stack)  ia 

bagin 

caaa  a  ia 
whan  0  =■> 

if  (  (global. MEDIUM. t  ■  D)  and  (global .MEDIUM. DA  =  local. i)  )  than 

puah(w, rcv3) ; 
and  if; 
if  (  (global. MEDIUM. t  =  T)  and  (global .MEDIUM. DA  =  local. i)   )  than 

puah (w, get_tk3) ; 
and  if; 

whan  1  «> 

puah (w, raady3) ; 
whan  2  *=> 

if   (local. outbuf (local. j) .t  /=  E)  than 

push(w,Xmit3) ; 
and  if; 
if  (  local. outbuf (local. j) .t  -  E  )  than 

puah(w,paas3) ; 
and  if; 
whan  3  «> 

if  (  (global. MEDIUM. t  =  E)  and  (local .outbuf (local . j) .t  /=  E)  and 
(local. ctr  <=  y.)    )  than 
puah(w,moraD3)  ; 
and  if; 

if  (  (global. MEDIUM. t  ■  E  )  and  (  (local .outbuf (local . j) .t  -  E) 
or  (local. ctr  ■  (k+1)  )  )  )  then 
puah(w,  paaa_tk3) ; 
and  if; 
whan  othara  => 
null; 
and  caaa; 
and  Analyza_Pradlcates_Machlne3; 

aaparata (main) 

procadura  Analyze_Predicatea_Machine4 (local  :  machina4_atata_typa; 

global  :  global_variable_type; 

a  :  natural ; 

w  :  in  out  transit ion_atack_pacJcaga.atack)   ia 

bagin 

caaa  a  ia 
whan  0  => 

if  (  (global. MEDIUM. t  =  D)  and  (global .MEDIUM. DA  =  local. i)  )  then 

puah (w, rcv4) ; 
and  if; 
if  (  (global. MEDIUM. t  =  T)  and  (global -MEDIUM. DA  =  local. i)   )  than 

push (w, get_tk4) ; 
end  if; 

when  1  => 

puah (w, ready4) ; 
when  2  => 

if   (local. outbuf (local. j) .t  /=  E)  then 
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push(w,Xmit4)  ; 
•nd  if; 
if  (  local. outbuf (loc*l. j) .t  -  R  )  then 

push (w,paas4) ; 
•nd  if; 
wb«n  3  ■> 

if  (  (global. MEDIUM. t  -  E)  and  (local .outbuf (local . j) .t  /-  B)  and 
(local. ctr  <-  k)  )than 
push (w, mor«D4) ; 
•nd  if; 

if  (  (global. MEDIUM. t  -  B  )  and  (  (local .outbuf (local . j) .t  -  E) 
or  (local. ctr  *  (k+1)  )  )  )  than 
push(w,  paaa_tk4)  ; 
•nd  if; 
when  other*  => 
null; 
•nd  case; 

•nd  Analyze_Predicates_Machine4; 


separate (main) 

proc*dur«  Analyze_Pr«dicat«s_Machin*5 (local  :  machine5_atate_typ«; 

global  :  global_variabl«_typ«; 

a  :  natural ; 

w  :  in  out  transition_stack_package . stack)   ia 

b«gin 

cat*  a  is 

when  0  => 

if  (  (global. MEDIUM. t  =  D)  and  (global .MEDIUM. DA  =  local. i)  )  then 

push (w, rcv5) ; 
•nd  if; 
if  (  (global. MEDIUM. t  =  T)  and  (global .MEDIUM. DA  =  local. i)   )  then 

puab (w, g«t_tk5) ; 
•nd  if; 

when  1  => 

puab(w, r«ady5) ; 
when  2  => 

if   (local. outbuf (local. j) .t  /=  E)  then 

push(w,Xmit5) ; 
•nd  if; 
if  (  local. outbuf (local. j) .t  =  E  )  then 

push <w, paaeS) ; 
•nd  if; 
when  3  => 

if  (  (global. MEDIUM. t  =  E)  and  (local .outbuf (local . j) .t  /=  E)  and 
(local. ctr  <=  k)  (then 
push (w, moreD5) ; 
•nd  if; 

if  (  (global. MEDIUM. t  ■  E  )  and  (  (local .outbuf (local . j) .t  =  E) 
or  (local. ctr  =  (k+1)  )  )  )  than 
push(w,  pass_tk5) ; 
•nd  if; 
when  others  => 
null; 
•nd  case; 


•nd  Analyze  Predicates  Machines, - 


separate (main) 

procedure  Analyze_Predicates_Machine6 (local  :  machine6_state_type; 

global  :  global_variable_type; 

s  :  natural; 

w    :    in   out   transition_stack_package. stack)       is 
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begin 

c«i«  •  is 
when  0  ■> 

if  (  (glob* 1. MEDIUM  t  -  D)  and  (global .MEDIUM, DA  -  local. i)  )  than 

push(w, rcv6) ; 
and  if; 
if  (  (global. MEDIUM. t  -  T)  and  (global. MEDIUM. DA  -  local. i)   )  than 

push  (w,  get_tk6)  ; 
and  if; 

whan  1  -> 

push (w, raady6)  ; 
whan  2  => 

if   ( local. outbuf (local. j) .t  /=  E)  than 

push(w, Xmit6) ; 
and  if; 
if  (  local. outbuf (local. j) .t  ■  E  )  than 

push(w,pass6) ; 
and  if; 
whan  3  ■> 

if  (  (global. MEDIUM. t  -  B)  and  (local .outbuf (local . j) .t  /-  B)  and 
( local. ctr  <=  k)  )than 
push (w, moreD6) ; 
and  if; 

if  (  (global. MEDIUM. t  =  E  )  and  (  (local .outbuf (local . j) -t  -  E) 
or  (local. ctr  =  (k+1)  )  )  )  than 
push(w,  pass_tk6) ; 
and  if; 
whan  othars  => 
null; 
and  case; 

and  Analyze_Predicates_Machine6; 


saparata (main) 
procadura  Analyza_Predicatas_Machine7 (local  :  machine 7_stata_type; 

global  :  global_variable_type; 

s  :  natural; 

w  :  in  out  transition_stack_package. stack)   ii 

begin 

casa  s  is 
when  0  => 

if  (  (global. MEDIUM. t  =  D)  and  (global .MEDIUM. DA  =  local. i)  )  then 

push  (w,  rcv7)  ; 
end  if; 
if  (  (global. MEDIUM. t  ■  T)  and  (global .MEDIUM. DA  =  local. i)   )  then 

push (w, get_tk7) ; 
end  if; 

when  1  => 

push (w, ready 7) ; 
when  2  => 

if   ( local. outbuf (local. j) .t  /=  E)  then 

push(w,Xmit7) ; 
end  if; 
if  (  local. outbuf (local. j) ,t  =  E  )  then 

push(w,pass7) ; 
end  if; 
when  3  => 

if  (  (global. MEDIUM. t  -  E)  and  (local .outbuf (local . j) .t  /-  E)  and 
(local. ctr  <=  k)  )then 
push(w,moreD7) ; 
end  if; 

if  (  (global. MEDIUM. t  =  E  )  and  (  (local .outbuf (local . j) .t  =  E) 
or  (local. ctr  =  (k+1)  )  )  )  then 
push(w,  pass_tk7) ; 
end  if; 
when  others  => 
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null; 
•nd  cat*; 

•nd  Analyze_Predicatea_Machine7; 


separate (main) 

procedure  Analyze_Predicatea_Machine8 (local  :  machine8_state_type; 

global  :  global_variable_type; 

•  :  natural ; 

w  :  in  out  transit ion_stack_package  stack)   is 

begin 

cast  a  ia 
whan  0  =■=> 

if  (  (global. MEDIUM. t  -  D)  and  (global .MEDIUM. DA  =  local. i)  )  than 

puab (w, rcv8) ; 
•nd  if; 
if  (  (global. MEDIUM. t  ■  T)  and  (global. MEDIUM. DA  =  local. i)   )  than 

puah (w, get_tk8) ; 
and  if; 

whan  1  ■> 

puah (w, ready8) ; 
whan  2  => 

if   ( local. outbuf (local. j) .t  /=  E)  than 

puah(w,  Xmit8)  ; 
and  if; 
if  (  local. outbuf (local. j) .t  =  E  )  than 

push(w,pasa8) ; 
and  if; 
whan  3  => 

if  (  (global. MEDIUM. t  ■  E)  and  (local .outbuf (local . j) .t  /=  E)  and 
(local. ctr  <=  Jc)  )then 
push (w, moreD8 ) ; 
and  if; 

if  (  (global. MEDIUM. t  -  E  )  and  (  (local. outbuf (local . j) .t  =  E) 
or  (local. ctr  =  (lc+1)  )  )  )  than 
puah(w,  pass  tk8) ; 
and  if; 
whan  othars  => 
null; 
and  case; 


and  Analyze_Pradicates_Machine8; 


saparata (main) 

procadura  Action  (  in_system_stata  :  in  out  Gstata_record_typa; 

in_transition  :  in  out  scm_transition_typa; 

out_systam_stata  :  in  out  Gstata_record_type)  ii 

begin 

case  in_transition  is 
whan  rcvl  => 

out_system_state .  machine l_at ate . inbuf .  SA 

:=in_systam_stata .global_variablaa .MEDIUM. SA; 
out_ayatam_atate . machine l_st ate . inbuf .data 

:=in_system_state .global_variablas .MEDIUM. data; 
whan  rcv2  => 

out_systam_stata .machina2_atata . inbuf .SA 

: =in_aystem_atate .global_variablaa .MEDIUM. SA; 
out_systam_stata .machina2_atata . inbuf .data 

:=in_sy«tem_etate .global_variablas .MEDIUM. data; 
whan  rcv3  => 

out_systam_stata .machine3_state . inbuf . SA 

:=in_system_state .global_variables .MEDIUM. SA; 
out  system  state , machine3  state . inbuf .data 
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whan   rcv4   «> 

out_ayat*m 

out_ayatam_j 

wh*n   rcvS   «■> 
out_ayatam_ 


■in_ayat*m_atat* .global_var iablaa .MEDIUM. data; 


•tat* .  machin*4_atat* . inbuf . SA 

in_ayat*m_atat* . global_var labia* 
•tat* . machin*4_atata . Inbuf . data 
=in_ay»t*m_atat* . global_var labia* 


out_ayatam_: 

whan  rcv6  «> 
out_ayatam_ 

out_ayatam_ 

whan  rcv7  -> 
out_ayatam_ 

out_ayatam_i 

whan  rcv8=> 

out  system 

out_ayatam_, 


•  t at* .macblna5_atata . inbuf . SA 
in_ayatam_atata . glob*l_var iablaa 

atata . machina5_atata . Inbuf . data 
in_ayatam_atata . global_var lablaa 

at at* .m*chin*6_atat* . Inbuf . SA 
in_ayat*m_atat* . global_varlabl*a 

at at* .machin*6_atat* . inbuf .data 
in_ayatam_atata . global_var lablaa 

atata .machina7_atata . inbuf . SA 

«in_ay at *m_at  at * . globa l_var  iabl* • 
atata . machina7_atata . inbuf . data 
in_ayat*m_atata .global_variablaa 

stat* . machine 8_et  at* . inbuf . SA 
-in_ayatam_atata . global_variablaa 
atata .  machin*8_atat« . inbuf .data 
in_*yatam_atata .global_variabl*a 


.  MEDIUM.  SA; 
. MEDIUM. data ; 

MEDIUM. SA; 
MED IUM. data ; 

.  MEDIUM. SA; 

.MEDIUM. data. 

MEDIUM. SA; 
MED IUM. data; 

. MEDIUM. SA; 
. MED IUM. data ; 


whan  raadyl  |  ready2  |  r«ady3  | r*ady4 | r*ady5 | ready 6 | raady7 | readyB  => 
out_ayat*m_atata.global_variablea. MEDIUM. t  :=  E 


whan  g*t_t)tl 
out_*yst*m 
out_ayat*m_ 

whan  get_tk.2 
out_ayatam_ 
out_ayatam 

whan  gat_tk3 
out_ayatam 
out_ayet*m 

whan  gat_tk4 
out_ayatam_ 
out_ayatam 

whan  gat_tk5 
out_ayat*m_ 
out_*yatam_ 

whan  g*t_tk6 
out_ayatam_ 
out_ayat*m_ 

whan  gat_tk7 
out_ayatam 
out_ayat*m 

whan  get_tk8 
out_ayatam 
out_ayatam 

whan  paaal  | 
out_ayatam 
out_ayatam 

out_ayatain 
out_ayatam 

whan  paaa2  | 
out_ayatam 
out_ayatam 

out_ayatam_ 
out_ayatam 

whan  paaa3  | 
out  system 


=> 

atata 

atata 

=> 

atata 

atata 

=> 

atata 

atata 

=> 

atata 

atata 

'=> 

atata 

atata 

=> 

atata 

atata 

'=> 

atata 

atata 

"=> 

atata 

atata 


.global_variabl*a.MEDIUM.t  :■  E 
.machinal_atata.ctr  :=  1; 

.global_variablea. MEDIUM. t  :=  E 
.machin*2_atata.ctr  :=  1; 

.global_variablaa. MEDIUM. t  :-  E 

. machine3_state . ctr  :=  1; 

.global_variablea. MEDIUM. t  :=  E 

. machine 4_st ate .ctr  :=  1; 

.global_variablaa. MEDIUM. t  :=  E 
. machin«5_atat* .ctr  :=  1; 

.global_variabla*. MEDIUM. t  :=  E 

. machine 6_st ate . ctr  :=  1; 

,global_variablaa. MEDIUM. t  :=  E 
. machine 7_atate. ctr  :=  1; 

.global_variabl*a. MEDIUM. t  :=  E 
.machines  atate.ctr  :=  1; 


paaa_tkl  «> 

st at *. globa 1_ variables. MED IUM. t  :=  T; 
'state. globa ljvar  i  ables .  MEDIUM . DA 

:=  in_ayat*m_atate .machinel_atate 
atat*.global_variablaa. MEDIUM. data  := 
'state . global_var iablaa . MEDIUM . SA 

:=  in_ayat*m_atata .machinal_atata 
paaa_tk2  => 

atata. global_variablaa . MEDIUM. t  :-  T; 
'atata . global_var  iables .MEDIUM . DA 

:=  in_ayatem_atate.machine2_atate 
atata . globa 1_ variables .MEDIUM . data  :  = 
'atata . global_var iablaa . MEDIUM . SA 

:=  in_system_state .machin*2_atate 
paas_tk3  => 
st ate. global  variables .MED IUM. t  :=  T; 


next; 


i; 


next; 
E'; 
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out_»y«tem_»tate . global_variablea .MEDIUM. DA 

:»  in_ayatam_atate.machine3_atata.naxt; 
out_ayat«m_state.global_variables. MEDIUM. data  :«  'E'; 
out_ayat«m_at ate. global_var iablaa. MED IUM.SA 

: =  in_ayatem_etate . machina3_atate . i ; 
whan  paaa4  I  pa»«_tJc4  »> 

out_«yatem_«t ate. global_variab lea .MEDIUM. t  :■=  T; 
out_ayetem_atate . globa l_var i  able* . MED IUM . DA 

:■  in_ayatam_atata . ma chine 4_«t ate .next ; 
out_ayatam_atate.global_variablea. MEDIUM. data  :■  'B'; 
out_ayatem_atate .global_var iablaa .MEDIUM. SA 

:-  in_ayatam_atate .machine4_atate .  1; 
whan  paaaS  |  paaa_tk5  »> 

out_«ystem_state.global_varlable». MEDIUM. t  :■>  T; 
out_ayatam_atate .global_variablea .MEDIUM. DA 

:  =  in_ayatasn_atata .  machine5_at  ate .  naxt  ; 
out_eyatem_atate.global_variables. MEDIUM. data  :•  'E'; 
out_ayatam_atate .global_variablaa .MEDIUM. SA 

: =  in_ayatem_atata . machin«5_atat« . i ; 
whan  paaa6  |  paaa_tk6  ■> 

out_ayatam_atata . global_variablaa .  MEDIUM . t  : —  T ; 
out_ayatam_atata . global_variablaa .MEDIUM. DA 

: *  in_ayatem _etate . machine6_atate . naxt ; 
out_ayatam_atata .global_variablaa .MEDIUM. data  :■  'E'; 
out_syatem_atate . global_var iablaa . MEDIUM . SA 

:■  in_eyatem_atate .machina6_atate . i; 
whan  paaa7  |  paaa_tk7  => 

out_ayatam_atata . global_variablaa . MEDIUM . t  : =  T ; 
out_ayatam_atata . global_var iablaa . MEDIUM . DA 

: =  in_ayatam_atata . machina7_atata . naxt ; 
out_ayatam_atata.global_var iablaa .MEDIUM. data  :=  'E'; 
out_ayatam_at*ta .global_variablaa .MEDIUM. SA 

: =  in_ayatam_atata .  machina7_atata . i ; 
whan  paaa8  |  paaa_tk8  => 

out_ayatam_atata.global_variablas. MEDIUM. t  :=  T; 
out_ayatam_at*te .global_var iablaa .MEDIUM. DA 

: =  in_ayatam_atata . machina8_atate . naxt ; 
out_ayatam_atata.global_variablea. MEDIUM. data  :=  'E'; 
out_ayatem_atata.global_variablaa. MEDIUM. SA 

:  =  ln_ayatam_atate .machina8_atate . i; 

whan  Xmitl  => 

out_ayatam_atata .global_var iablaa .MEDIUM 

:»  in_ayatam_atata .machinal_atata . outbuf (in_ayatem_atata .machinal_atata . j) ; 
out_ayatam_atata.machinal_atata.outbuf (in_ayatam_atata.machinal_atata.  j)  .t  :«  E; 
out_ayatam_atata .machinel_atate .ctr 

:=  (in_ayatam_atata .machinal  atata. ctr  mod  8)  +  1; 
out_ayatam_atata . machine 1_« tat e . j 

:=  (in_ayatam_state .machinal  atata . j  mod  7)  +  1; 
whan  Xmit2  ■> 

out_ayatem_atate .global_variables .MEDIUM 
:■  in_ayatam_atata .machina2_atata . outbuf (in_ayatam_atata .machina2_atata .  j) ; 
out  ayatam  atata .machina2  atata .outbuf (in_ayatam_atata .machina2  atata . j) . t  :=  E 
out_ayatam_atata .machina2_atata . ctr 

:=  (in_aystem_state . machine2_state .ctr  mod  8)  +  1; 
out_syatem_state .machine2_state . j 

:=  (in_ayatam_atata .machina2  atata . j  mod  7)  +  1; 
whan  Xmit3  => 

out_ayatam_atate .global_variablaa .MEDIUM 
:■  in_eyeten_state .machine3_atata .outbuf (in_ayetem_atate .machine3_atate .  j)  ; 
out_ayatam_atata .machina3_atata. outbuf (in_ayatem_atata.machin«3_atata. j)  .t  :»  E, 
out_ayatam_atata .machina3_atata . ctr 

:=  (in_ayatam_atata.machina3_atata.ctr  mod  8)  +  1; 
out_ayatem_atate . machine3_state . j 

:=  (in_aystem_6tate.machine3_state. j  mod  7)  +  1; 
whan  Xmit4  => 

out_ayatem_state . global_var iablaa .MEDIUM 

:■  in_ayatam_atata .machin«4_atata. outbuf (in_ayst«m_atata . machine 4_e tat •  .  j) ; 
out_ayatam_atata .machin«4_atate .outbuf (in_ayatam_atata.machina4_atata. j) . t  :=  E; 
out_ayatam_atata .machin«4_atate .ctr 

:=  (in_ayatam_state.machina4_atate.ctr  mod  8)  +  1; 
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out_ayatem_atate  .machine4_atate .  j 

:■  (in_ayatam_atate.m achine4_atata. J  mod  7)  +  1; 
when  Xmlt5  ■> 

out_ayatem_atate .global_variablea .MEDIUM 

:■  in_ayatem_atate  . machlne5_atate .  outbuf  (in_ayatam_atate  . ma chine 5_at ate .  j)  ; 
out_ayate—_atate.machine5_atate. outbuf  (in_ayatem_atata .machine5_atate.  j)  .t  :■  E; 
out_ay«tem_atate .machine5_atate . ctr 

:■  (in_ayatem_atate.machine5_atate.ctr  mod  8)  +  1; 
out_«yatem_atate  .  machine5_atate  .  j 

:■  <in_ayaten_»tate .machine5_«tate . j  mod  7)  +  1; 
when  Xmlt6  ■> 

out_ayatem_atate . global_variablea .MEDIUM 

:■  in  ayatemat ate .mactaine6_atate . outbuf (in_ayatem_atate . machine 6_at ate . j) ; 
out_ayatem_atate . machine6_atate . outbuf  (in_ayat«m_atata.machina6_atat«.  j)  .t  :«  E; 
out_ayatem_atate .  machine 6_atate . ctr 

:■  (in_ayatam_atata.machina6_atata.ctr  mod  8)  +  1; 
out_ayatam_atata .machine6_atate . j 

:»  (in_ayat«m_atata.machina6_atata. j  mod  7)  +  1; 
whan  Xmit7  ■> 

out_ayatem_atate .global_variablea .MEDIUM 
:-  in_ayatam_atata . machina7_atata .outbuf  (in_ayatam_atat* .machina7_atat* .  j)  ; 
out_ayatam_atata  .machina7_atata. outbuf  (in_ayatam_atata.machina7_atata.  j)  .t  :-  E; 
out_ayatam_atata . machine 7_at ate . ctr 

:=  (in_ayateni_atate.  machine  7_atate.  ctr  mod  8)  +  1; 
out_ayatem_atate . machine 7_atat* . j 

:=  ( in_ayatem_atat*. machine 7_atate. j  mod  7)  +  1; 
when  Xmit8  «> 

out_ayatem_atata . global_var iablea .MEDIUM 
:-  in_ayatem_atate  .machine8_atate  .outbuf  (in_ayatem_atate  .  machine 8_at ate  .  j) ; 
out_ayatem_atata. machine8_atate. outbuf (in_ayatam_atate.machina8_atata. j)  .t  :■  E; 
out_ayatem_atate .machina8_atate . ctr 

:-  (in_ayatam_atate.machine8_atata .ctr  mod  8)  +  1; 
out_ayatem_atate .machine8_atate . j 

:■  (in_ayatem_atate.machina8_atate . j  mod  7)  +  1; 
when  moreDl  |  moreD2  I  moreD3 |moreD4 |moreD5 |moreD6 |moreD7 |moreD8  => 

null; 
when  othara  => 

put ("Error  in  action  procedure") ; 
end  caae; 
»nd  Action; 
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Output  Format 


separate (main) 

procedure  output_Gtuple (tuple  :  in  out  Gstate_record_type)  is 

begin 

if  print_header  then 

new_line (2) ; 
set_col (7) ; 

put_line  (  "ml,  m2,m3,ra4,in5,m6,m7,m8,  MEDIUM,  t,  MEDIUM.  DA,  MEDIUM.  SA,  MEDIUM,  data") 
print_header  :■  false; 
•1m 


put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 
put 


put 
put 
put 
put 
put 
put 
put 


1   ["&  integer 'image ( tuple. machine_stata (1) )  ); 

'  ,  "); 

integer ' image (tuple .macbine_atate (2) ) 
'  ,  "); 
integer ' image (tuple . machine  state (3) ) 

■  ,   "); 

integer ' image (tuple .machine_state (4) ) 

■  ,  "); 

integer ' image (tuple .machine_state (5) ) 

1  ,  "); 
integer ' image (tuple .machine_atate (6) ) 

'  ,  "); 
integer  '  image  (tuple  .  roach ine_ state  (7)  ) 

■  .   "); 

integer ' image (tuple .machine_atate (8) ) 


t_f ield_enum_io .put (tuple. global_variables .MEDIUM. t,  set  =>  uppercase) ; 


'); 

tuple. global_variablea . MEDIUM. DA,  width  =>  1)  ; 
tuple. globalvariables . MEDIUM. SA,  width  =>  1)  ; 


(tuple . global_variablea . MEDIUM . data)  ; 

tnd  if; 
end  output_Gtuple; 
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Program  Output  (No  Message  in  outbuf  Variable) 


REACHABILITY  ANALYSIS  of 
SPECIFICATION 


:tb8  .  •can 


I  Machine  1  Stat*  Transitions  | 
I  From   |   To   |   Transition   | 


rcvl 

get_tlcl 

readyl 

xmitl 
passl 
moredl 
pass_t)cl 


Ma  china  2  Stat*  Transitions  | 


|  From   |   To 


Transition   | 


rcv2 

gat_t)c2 

ready2 

xmit2 

pass2 

mored2 

pass  tJc2 


|  Machine  3  State  Transitions  | 
I  From   |   To   |   Transition   | 


rcv3 

get_tk3 

ready3 

xmit3 

pass3 

mo red 3 

pass_tk3 


I  Machine  4  State  Transitions  | 
I  From   |   To   |   Transition   | 


I 


rcv4 

get_tk4 

ready 4 

xmit4 

pass4 

mored4 

pass_tk4 


I 


|  Machine  5  State  Transitions  I 
I  From   |   To   I   Transition   | 


rcv5 

get_tk5 

ready 5 

xmitS 

pass5 

mo red 5 

pass_tk5 
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I  Machine  6  Stat*  Transition*  | 

|  From 

To 

Transition   1 

1   o 

1 

rev  6         | 

1   o 

1    1 

1    2 

2 
0 
3 

g«t_tlc6      | 

ready 6  | 
xmit6        | 

1    2 
1    3 

0 

2 

pass6        | 

mored6       j 

1    3 

0 

pass  tk6     | 

I  Machin< 

»  7  State  Transitions  | 

I  From 

To 

Transition   1 

1   o 

1 

rcv7         | 

1   o 
1    1 

1    2 

2 
0 
3 

gat_tk7      | 

ready 7  j 
xmit7        | 

1    2 
1    3 

0 

2 

pass7  | 
mored7       | 

1    3 

0 

pass_tk7     | 

|  Ma  chin* 

i  8  Stat 

:•  Transitions  | 

|  From 

To 

Transition   | 

1   o 

1 

rcv8         | 

1   o 

1    1 
1    2 

2 
0 
3 

gat_tJc8  | 
ready8  | 
xmitS        j 

1    2 
1    3 

0 

2 

pass8  | 
mored8       | 

1    3 

0 

pass_t)c8     | 

0 

[  o, 

1 

[  2, 

2 

[  o, 

3 

[  o, 

4 

[  o, 

5 

[  o, 

6 

t  o, 

7 

[  o, 

8 

[  o, 

9 

[  o. 

10 

[  o, 

11 

[  o, 

12 

[  o, 

13 

I  o, 

SYSTEM  REACHABILITY  GRAPH 

0,  0,  0,  0,  0,  0,  0 

0,  0,  0,  0,  0,  0,  0 

0,  0,  0,  0,  0,  0,  0 

2,  0,  0,  0,  0,  0,  0 

0,  0,  0,  0,  0,  0,  0 

0,  2,  0,  0,  0,  0,  0 

0,  0,  0,  0,  0,  0,  0 

0,  0,  2,  0,  0,  0,  0 

0,  0,  0,  0,  0,  0,  0 

0,  0,  0,  2,  0,  0,  0 

0,  0,  0,  0,  0,  0,  0 

0,  0,  0,  0,  2,  0,  0 

0,  0,  0,  0,  0,  0,  0 

0,  0,  0,  0,  0,  2,  0 


]  o 

g«t_tkl 

1 

]  o 

passl 

2 

]  1 

get_tk2 

3 

]  o 

pass2 

4 

]  2 

g*t_tk3 

5 

]  o 

pass3 

6 

]  3 

get_tk4 

7 

]  o 

pass4 

8 

]  4 

get_tk5 

9 

]  o 

pass5 

10 

]  5 

get_t)c6 

11 

]  o 

pass6 

12 

]  « 

get_t)c7 

13 

]  o 

pass7 

14 
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14  [  0,  0,  0,  0,  0,  0,  0,  0  )  7    get_tk8    15 

15  [  0,  0,  0,  0,  0,  0,  0,  2  ]  0    paaaS       0 

SUMMARY  OF  REACHABILITY  ANALYSIS  (ANALYSIS  COMPLETED) 

Number  of  at ate*  generated  :16 
Number  of  states  analyzed  :16 
Number  of  deadlock*  :  0 

UNEXECUTED  TRANSITIONS 


I   Machine  1  Unexecuted  Tranaitiona     | 
I  From   |   To   |  Unexecuted  Transition  I 


I 


0 

1 

rcvl 

1 

0 

readyl 

2 

3 

xmltl 

3 

2 

mo red 1 

3 

0 

passtkl 

I 


I   Machine  2  Unexecuted  Tranaltions     | 
I  From   |   To   |  Unexecuted  Transition  | 


0 

1 

rcv2 

1 

0 

ready2 

2 

3 

xmit2 

3 

2 

mored2 

3 

0 

paaa_tk2 

I   Machine  3  Unexecuted  Tranaitiona     | 
|  From   |   To   I  Unexecuted  Transition  I 


0 

1 

rcv3 

1 

0 

ready 3 

2 

3 

xmlt3 

3 

2 

mo red 3 

3 

0 

paas_tk3 

I   Machine  4  Unexecuted  Transitions     I 
|  From   |   To   |  Unexecuted  Tranaition  | 


0 

1 

rcv4 

1 

0 

ready4 

2 

3 

xmit4 

3 

2 

mo red 4 

3 

0 

paaa  tk4 

|   Machine  5  Unexecuted  Tranaitiona     | 
I  From   |   To   I  Unexecuted  Transition  I 


0 

1 

rcv5 

1 

0 

ready5 

2 

3 

xmitS 

3 

2 

mo red 5 

3 

0 

paea_tk5 
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I   Ma chin*  €  Unexecuted  Transition*     | 
|  From   |   To   |  Unexecuted  Transition  | 


0 

1 

rov6 

1 

0 

ready6 

2 

3 

xmit6 

3 

2 

mo red 6 

3 

0 

pass_tk6 

I 


I   Machine  7  Unexecuted  Transitions     | 
|  From   |   To   |  Unexecuted  Transition  I 


I  0 

I  1 

I  2 

I  3 

I  3 


rcv7 

ready 7 
xait7 
mored7 
pass_tk7 


I   Machine  8  Unexecuted  Transitions     | 
|  From   |   To   |  Unexecuted  Transition  I 


0 

1 

rcv8 

1 

0 

ready 8 

2 

3 

xmit8 

3 

2 

moredS 

3 

0 

pass_tk8 
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Program  Output  (  One  Message  in  outbuf  Variable) 


SYSTEM  REACHABILITY 


0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 

24 

25 

26 

27 

28 

29 

30 

31 

32 

33 


0,  0,  0,  0,  0,  0,  0,  0 

2,  0,  0,  0,  0,  0,  0,  0 

3,  0,  0,  0,  0,  0,  0,  0 
3,  1,  0,  0,  0,  0,  0,  0 
3,  0,  0,  0,  0,  0,  0,  0 
0,  0,  0,  0,  0,  0,  0,  0 
0,  2,  0,  0,  0,  0,  0,  0 

0,  3,  0,  0,  0,  0,  0,  0 

1,  3,  0,  0,  0,  0,  0,  0 
0,  3,  0,  0,  0,  0,  0,  0 
0,  0,  0,  0,  0,  0,  0,  0 
0,  0,  2,  0,  0,  0,  0,  0 

0,  0,  3,  0,  0,  0,  0,  0 

1,  0,  3,  0,  0,  0,  0,  0 
0,  0,  3,  0,  0,  0,  0,  0 
0,  0,  0,  0,  0,  0,  0,  0 
0,  0,  0,  2,  0,  0,  0,  0 

0,  0,  0,  3,  0,  0,  0,  0 

1,  0,  0,  3,  0,  0,  0,  0 
0,  0,  0,  3,  0,  0,  0,  0 
0,  0,  0,  0,  0,  0,  0,  0 
0,  0,  0,  0,  2,  0,  0,  0 

0,  0,  0,  0,  3,  0,  0,  0 

1,  0,  0,  0,  3,  0,  0,  0 
0,  0,  0,  0,  3,  0,  0,  0 
0,  0,  0,  0,  0,  0,  0,  0 
0,  0,  0,  0,  0,  2,  0,  0 

0,  0,  0,  0,  0,  3,  0,  0 

1,  0,  0,  0,  0,  3,  0,  0 
0,  0,  0,  0,  0,  3,  0,  0 
0,  0,  0,  0,  0,  0,  0,  0 
0,  0,  0,  0,  0,  0,  2,  0 

0,  0,  0,  0,  0,  0,  3,  0 

1.  0.  0.  0.  0.  0.  3.  0 


GRAPH 
0   get_tkl 

1 

0 

xaitl 

2 

0 

rcv2 

3 

0 

ready2 

4 

1 

pa»»_tkl 

5 

1 

get_tk2 

6 

0 

xmlt2 

7 

0 

revl 

8 

0 

readyl 

9 

1 

paas_tk2 

10 

2 

gat_tlc3 

11 

0 

xmit3 

12 

0 

rcvl 

13 

0 

readyl 

14 

1 

pass  tk3 

15 

3 

get_tJc4 

16 

0 

xmlt4 

17 

0 

rcvl 

18 

0 

raadyl 

19 

1 

pass  tit 4 

20 

4 

get_tk5 

21 

0 

xmlt5 

22 

0 

rcvl 

23 

0 

readyl 

24 

1 

pa«a_tk5 

25 

5 

get_tk6 

26 

0 

xmit6 

27 

0 

rcvl 

28 

0 

readyl 

29 

1 

pass  tk.6 

30 

6 

get_tlc7 

31 

0 

xmit7 

32 

0 

rcvl 

33 

0 

readyl 

34 
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34  [  0,  0,  0,  0,  0,  0,  3,  0  ]  1   paas_tk7   35 

35  [  0,  0,  0,  0,  0,  0,  0,  0  ]  7   get_tk8    36 

36  [  0,  0,  0,  0,  0,  0,  0,  2  ]  0   xmitS      37 

37  [  0,  0,  0,  0,  0,  0,  0,  3  ]  0   rovl      38 

38  [  1,  0,  0,  0,  0,  0,  0,  3  ]  0   readyl     39 

39  [  0,  0,  0,  0,  0,  0,  0,  3  ]  1   pass_tk8    0 

SUMMARY  OF  REACHABILITY  ANALYSIS  (ANALYSIS  COMPLETED) 

Number  of  itatcs  generated  : 40 
Number  of  states  analyzed  :40 
Number  of  deadlocks  :  0 

UNEXECUTED  TRANSITIONS 


I   Machine  1  Unexecuted  Transitions  | 

|  From   |   To   |  Unexecuted  Transition  | 

I    2    |   0    |     passl  | 

I    3    |   2    |     moredl  | 

I   Machine  2  Unexecuted  Transitions  | 

|  From   |   To   |  Unexecuted  Transition  | 

I    2    |   0    |     pass2  | 

I    3    |   2    |     mored2  | 

I   Machine  3  Unexecuted  Transitions  | 

I  From   |   To   |  Unexecuted  Transition  | 

I    0    |   1    |     rcv3  | 

I    1    |   0    |     ready3  | 

I    2    |   0    |     pass3  | 

I    3    |   2    |     mored3  | 


I  Machine  4  Unexecuted  Transitions  | 

I  From   |   To   I  Unexecuted  Transition  | 

I    0    |   1    |     rcv4  | 

I    1    I   0    |     ready4  | 

I    2    |   0    |     pass4  | 

|    3    |   2    |     mored4  | 


I   Machine  5  Unexecuted  Transitions  | 

I  From   |   To   I  Unexecuted  Transition  | 

I    0    |   1    |     rcv5  | 

|    1    |   0    |     ready5  | 

I    2    |   0    |     pass5  | 

I    3    I   2    |     mored5  | 
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I   Machina  6  Unaxacutad  Transitions  | 

I  From   |   To   |  Unaxacutad  Transition  | 

I    0    |   1    |    rov6  | 

I    1    I   0    |     raady6  | 

I    2    |   0    |     pass€  | 

|    3    I   2    |     morad6  | 


I   Machina  7  Unaxacutad  Transitions  | 

I  From   |   To   I  Onaxacutad  Transition  | 

I    0    |   1    |     rcv7  | 

I    1    I   0    |    raady7  | 

I    2    |   0    |     pa.. 7  | 

I    3    I   2    |     morad7  | 


|   Machine  8  Unaxacutad  Tran.it ion.  | 

I  From   |   To   |  Unaxacutad  Transition  I 

I    0    |   1    |     rcv8  | 

I    1    I   0    |     raady8  | 

I    2    |   0    |     passe  | 

|    3    |   2    |     morad8  | 
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Program  Output  (  More  Than  One  Message  in  outbuf  Variable) 

SYSTEM  REACHABILITY  GRAPH 

0  [  0,  0,  0,  0,  0,  0,  0,  0  ]  0   get_tkl     1 

1  [  2,  0,  0,  0,  0,  0,  0,  0  ]  0  xmitl  2 

2  [  3,  0,  0,  0,  0,  0,  0,  0  ]  0  rcv2  3 

3  [  3,  1,  0,  0,  0,  0,  0,  0  ]  0  ready2  4 

4  [  3,  0,  0,  0,  0,  0,  0,  0  ]  1  moredl  1 

SUMMARY  OF  REACHABILITY  ANALYSIS  (ANALYSIS  COMPLETED) 

Number  of  states  generated  :S 
Number  of  states  analyzed  :5 
Number  of  deadlock*  :  0 

UNEXECUTED  TRANSITIONS 


I   Machine  1  Unexecuted  Transitions     | 
|  From   |   To   |  Unexecuted  Transition  | 


0 

1   1    1 

rcvl 

1 

2 
3 

1   0    | 
1   0    | 
1   0    | 

readyl 

passl 

paas_tkl 

I 


I   Machine  2  Unexecuted  Transitions     | 
I  From   |   To   |  Unexecuted  Transition  | 


0 

2 

get  tk2 

2 

3 

xmit2 

2 

0 

pass2 

3 

2 

mored2 

3 

0 

pass_tk2 

|   Machine  3  Unexecuted  Transitions     | 
I  From   |   To   |  Unexecuted  Transition  | 


0 

1 

rcv3 

0 

2 

get  tk3 

1 

0 

ready3 

2 

3 

xmit3 

2 

0 

pass3 

3 

2 

mored3 

3 

0 

pass_tk3 

125 


I   Machine  4  Onaxacutad  Transition*     | 
I  From   |   To   |  Unexecuted  Transition  | 


rcv4 

gat_tk4 

ready* 

xmit4 

paa*4 

mo  r ad 4 

pass_tk4 


Macbina  5  Onaxacutad  Transitions 


I  From   |   To   I  Onaxacutad  Transition  | 


0 

1 

rcv5 

0 

2 

gat  tk.5 

1 

0 

raadyS 

2 

3 

xmitS 

2 

0 

pass5 

3 

2 

morad5 

3 

0 

pass_tk5 

|   Machine  6  Unexecuted  Trans it iona 


|  From   |   To 


Unexecuted  Tranaition  | 


0 

1 

rcv6 

0 

2 

gat  tk6 

1 

0 

ready 6 

2 

3 

xmit6 

2 

0 

paas6 

3 

2 

mored6 

3 

0 

paas_tk6 

I   Machine  7  Unexecuted  Transitions     | 
|  From   |   To   |  Onaxacutad  Transition  I 


0 

1 

rcv7 

0 

2 

gat  tk7 

1 

0 

ready 7 

2 

3 

xmit7 

2 

0 

pass7 

3 

2 

morad7 

3 

0 

paas_tk7 

Machine  8  Unexecuted  Transitions 


I  From   |   To   |  Onaxacutad  Tranaition  I 


0 

1 

rcv8 

0 

2 

gat  tk8 

1 

0 

ready8 

2 

3 

xmit8 

2 

0 

pass8 

3 

2 

moredS 

3 

0 

pass_tk8 
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Program  Output  (Global  Reachability  Analysis) 

There  are  seven  messages  in  outbuf  variable  of  each  machine. 

REACHABILITY  ANALYSIS  of  :tb8.scm 
SPECIFICATION 

I  Machine  1  Stat*  Transition*  | 

|  From   |   To   I   Transit ion   | 


I 


I 


I 


I 


I 


I 


0 

1 

rcvl 

0 

2 

get  tkl 

1 

0 

readyl 

2 

3 

xmitl 

2 

0 

passl 

3 

2 

moredl 

3 

0 

pasa_tlcl 

I  Machine  2  Stat*  Transitions 
I  From   |   To   |   Transition 


0 

1 

rcv2 

0 

1 

2 

2 
0 
3 

gat  tk2 

raady2 
xmit2 

2 
3 

0 

2 

paas2 
mor*d2 

3 

0 

pass_t)c2 

0 

1 

rcv3 

0 

2 

gat  tk3 

1 

0 

r*ady3 

2 

3 

xmit3 

2 

0 

paaa3 

3 

2 

mored3 

3 

0 

pass_tk3 

0 

1 

rcv4 

0 
1 
2 

2 

0 
3 

get_tk4 
raady4 

xmit4 

2 
3 

0 
2 

pass  4 
mor«d4 

3 

0 

pass  tk4 

I 


I  Machine  3  Stat*  Transitions  | 
I  From   |   To   |   Transition   I 


I 


I  Machine  4  State  Transitions 
I  From   |   To   I   Tranaition 


I 


I  Machine  5  State  Transitions  | 
|  From   |   To   |   Tranaition   | 


1   o 

1 

rcv5         | 

1   o 

2 

get  tk5      | 

1      1 

0 

ready 5       | 

1    2 

3 

xmit5        | 

1    2 

0 

paas5        | 

1    3 

2 

moredS       | 

1    3 

0 

pass_tk5     | 
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I  M*chin«  6  Stata  Transitions  | 

|  From 

To 

Transition   | 

1   o 

1 

rcv6         | 

1   o 

1    1 
1    2 

2 

0 
3 

gat  tk6      | 

r**dy6  j 
xmit6        | 

1    2 
1    3 

0 

2 

pass6  | 
mor«d6       j 

1    3 

0 

pass  tk6     | 

I  Machina  7  Stat*  Transition*  j 

I  From 

To 

Transition   | 

1   o 

1 

rcv7         | 

1   o 

2 

gat  tk.7      | 

1    1 
1    2 

0 
3 

r«ady7  | 
xmit7        | 

1    2 

1    3 

0 
2 

pass7  | 
morad7       | 

1    3 

0 

pass_tk7     | 

|  Ma chin* 

i  8  Stat 

.*  Transitions  | 

I  From 

To 

Transition   | 

1   o 

1 

rev8         | 

1   o 

1    1 
1    2 

2 
0 
3 

gat_tk8  | 
r*ady8  | 
xmit8        | 

1    2 
1    3 

0 
2 

pass8        | 

mo  rod 8        | 

1    3 

0 

pass_tk8     | 

REACHABILITY  GRAPH 
[ml,  m2 , m3 , m4 , m5 , m6, m7 , m8 , MEDIUM . t , MEDIUM . DA, MEDIUM . SA, MEDIUM. data] 
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SUMMARY  OF  REACHABILITY  ANALYSIS  (ANALYSIS  COMPLETED) 

Number  of  states  generated  :263 
Number  of  atatea  analyzed  :263 
Number  of  deadlocks  :  0 
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